Solved Active Direcotry Server 2008 limited admin (for helpdesk)

February 6, 2014 at 07:16:11
Specs: server 2008
I'm looking to create an account similar to a Domain Admin, but without access to domain controllers. In other words, this account will have full Administrator rights to any client machine in the domain, be able to add machines to the domain, but have only limited user rights to the servers.

This account will be used by a person in an end-user tech support kind of role. They should have full access to client machines for installing drivers, applications, etc... but I don't want them on the servers.

While I could probably throw something together myself via policy, it'll probably be messy so I figured I should ask: What's the proper way to go about this?

See More: Active Direcotry Server 2008 limited admin (for helpdesk)

Report •

February 6, 2014 at 08:05:58
✔ Best Answer
Actually, Group Policy is pretty much the way to do this. Make a global group containing all of the people you want to grant admin access, separate out the workstations from the servers, and have a group policy applied to the workstations that adds that group to its local Administrators account. Make sure the global group has write access to the workstation OU's, so that they can add/remove machines as needed.

How To Ask Questions The Smart Way

Report •
Related Solutions

Ask Question