3

My apologies if this has been asked before. If I knew the proper search terms then google would be more effective.

I would like to add a user that can join computers to the domain, Install software and printers on User Computers, maybe even change user passwords.

Is there something like a helpdesk role that can do this but can be restricted to staying out of servers and specific folders on the network (eg Payroll)?

Any help appreciated. Thank you.

Jimmy
  • 111
  • 6
  • 1
    You might be looking at a few different, but related, options: Delegation of control, Restricted Groups, group-based NTFS permissions and privilege separation. Someone will probably knock together a good answer, but those terms may be helpful for your searches. – jscott Oct 28 '14 at 15:42

1 Answers1

10

You're looking for Delegation of Control in Active Directory (AD) to grant your "IT Helper" access to perform limited administrative operations in AD. This functionality is very flexible, and I'd recommend you do some reading and make up some test scenarios to become familiar. The specific steps for delegating rights to join computers to a domain are outlined in KB932455. You can delegate a heck of a lot more, though.

For client computer access, you're probably talking about selectively granting membership to the local "Administrators" group to your "IT Helper". (It's necessary that they be in the local "Administrators" group to be able to install software.) The Restricted Groups functionality of Group Policy can do this. This functionality allows you to "nest" a group from your domain into a local group on client computers. By deploying a Restricted Groups policy in a Group Policy Object (GPO) linked to an Organizational Unit (OU) where your client computers are located you could cause the domain "IT Helpers" group to be automatically added to the "Administrators" groups on all the computers to which the GPO applies.

Any delegations you perform should always be to groups, and not to individual users. Even if you only have one "IT Helper" user right now you should use groups to "future proof" your work.

Both of these functions rely on your AD having a reasonable design. If, for example, all your client computers are in a single Organizational Unit and you want to restrict the "IT Helpers" to being "Administrators" of only a subset of the client computers then you're going to have a tougher time fulfilling that requirement. IF your client computers are organized by OU, being able to link GPOs to that cover the computers selectively is easier. The same holds true for delegating control on OU hierarchies.

You should read up on AD design principles to learn how you can make your AD work well for your delegation needs:

Some of my own bloviation:

Community
  • 1
Evan Anderson
  • 141,071
  • 19
  • 191
  • 328