AD User Account Permissions help needed Please

[deca300]

Hey guys

I'm hoping that someone here can help me.

I have this intern IT guy, and want to give him permissions to only do the following:

Reset passwords, unlocked accounts, install software on client PC's.

I do not want to make him domain admin.

The Clients PC's are locked down.

Which groups would he need to log in with his account and installs software add printers, map drives, and as mentioned above, reset accounts and few basic permissions..

Do I just add him to certain groups? or can I create an OU(with group policy forcing settings to it) Where all users inside inherit there permissions?


Thank you for any help.

 

[grim]

You can delegate permissions in AD for him to reset passwords and unlock accounts on whichever OUs you want to

To install software he will need local admin rights to the users machines, for that you can create a group policy with the Restricted Groups setting to include either his account or a group which will then automatically be local admin on all machines that policy applies to.

 

[irBosOtter]

Like Grim said.
Right-click on domain name in AD (or container that you ant to apply the permissions) and select "Delegate Control" and follow instructions. But maybe create a group first, call it DesktopSupport or something, then add the intern into that group. Delegate control on that group, so that when the intern leaves, or you get another one, just remove/add him/her to the group.

Then use GPO to add that group to the local Administrators group on all the PC's in your domain. The GPO will have to be applied to a container where your pc's are in. Don't apply it to the whole domain or else he will be admin on servers as well, you only want him to be admin on pc's

 

[deca300]

Hi guys

Thank you so much for the help! I have done this and its working perfectly!! awesome!! thanks again