create support admin user

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

How do I make someone an admin but take away their rights to making changes
within Active Directory? I would like to give a support user the ability to
logon to Domain Controllers to troubleshoot DHCP, DNS and some applications
that run on the server, but I do not want them to have the ability to make
changes to Active Directory (create or delete OUs, delete admins etc).

Thanks
dhodgkins61@comcast.net

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Any user can be given the right to logon to a domain controller by
configuring the "logon locally" user right in Domain Controller Security
Policy. Then you can add the user to privileged groups shown in Active
Directory Users and Computers such as DHCP administrators and DnsAdmins. As
far as troubleshooting applications they will have limited ability without
being an administrator but you can test that out to see if it suits your
needs by using privileged groups. Server operators is another group that you
may consider that will give the user more power but the user can then create
and delete shares but will not be able to create/delete OU's or manage
administrator accounts. --- Steve


"DebraH" <DebraH@discussions.microsoft.com> wrote in message
news:E8501DBE-5CD5-4726-9FCF-A1A099473F7B@microsoft.com...
> How do I make someone an admin but take away their rights to making
> changes
> within Active Directory? I would like to give a support user the ability
> to
> logon to Domain Controllers to troubleshoot DHCP, DNS and some
> applications
> that run on the server, but I do not want them to have the ability to make
> changes to Active Directory (create or delete OUs, delete admins etc).
>
> Thanks
> dhodgkins61@comcast.net
>