I'm wanting to give my computer technician a little more access and grant him permissions to create and edit users in AD. I know this isn't difficult to do, however I don't want him to be able to add users do the schema group, or exchange admin group, or domain admin group, etc..
Do I just deny access for him to these specific power groups? Or can I make a group with all the power groups within and deny access to that?
Now I can't be the only one who has come across this. So what solutions has everyone else come up with to allow some access, but not total destruction access?
Thanks!
↧
Give helpdesk tech AD permissions
↧