desktop level support

[Guest]

hi!

We're expecting a IT Tech to join us soon. He'll only be doing
desktop/client OS support. My question is what is the best access-right that
i can give, so that he can carried out his support task, without giving him
full administrative right(especially to the servers)? He'll probably need to
join domain for the clients, install Norton corporate edition(managed), and
client level administrative right of course.

Any idea, what's the best option? Thks!

 

[Steven L Umbach]

You can delegate any domain user the right to add workstations to the
domain. If you select the domain and right click you will see the option to
delegate. You can also do this at the OU level where the user will need the
permissions to create computer objects. You can also add his domain account
to the local administrators group on domain computers that you want him to
have administrator powers. That can be done via a Group Policy startup
script with the net localgroup command or the use of Restricted Groups at
the Organizational Unit [NOT domain or you will add to administrators group
for the domain!!] level. Assuming your computers are SP4 you can user
Restricted Groups with the "member of" option. You could then create a
domain global group and make it a "member of" administrators. Then add the
domain users you want to that group to be administrators of domain
computers. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/611.asp
--- Restricted Groups
http://www.microsoft.com/technet/pr...ctory/activedirectory/stepbystep/ctrlwiz.mspx -
-- delgation.