How to create a limited "domain admin" that does not have access to domain controllers?

I'm looking to create an account similar to a Domain Admin, but without access to domain controllers. In other words, this account will have full Administrator rights to any client machine in the domain, be able to add machines to the domain, but have only limited user rights to the servers.

This account will be used by a person in an end-user tech support kind of role. They should have full access to client machines for installing drivers, applications, etc... but I don't want them on the servers.

While I could probably throw something together myself via policy, it'll probably be messy so I figured I should ask: What's the proper way to go about this?


Solution 1:

We do something similar to this in our remote offices. First, create a group for the psuedo-admins in the domain. In AD, delegate control to the OU's they may need to manage (create/delete accounts, or maybe just reset passwords, or nothing at all).

Then use Group Policy to add your group to the local administrators group on the workstations and servers using Computer\Windows Settings\Security Settings\Restricted Groups. Do not deploy this policy to the Domain Controllers OU or the OUs containing your servers.

This obviously depends on having a AD configured in a manner to separate the client systems from the servers.

Solution 2:

As we move forward into Active Directory environments where UAC is a standard feature you will also have to take that into account as well.

By default only The local Administrator account and members of Domain Admins get automatic elevation and this is needed for many things (connecting to remote admin shares is one, apparently it's an issue with configuring MSMQ and NLB also, I'm sure there are others) simply placing a new group into the local Administrators account may not be sufficient.

To get around this you have to modify the "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" Security Policy under Local Policies, Local Security Settings and set the value to "No Prompt". Hopefully Microsoft will come up with a more targetted way of doing this in future (or fix the edge cases where the required approval prompt goes AWOL).

Solution 3:

Try this. It's the easiest way I've found so far: http://technet.microsoft.com/en-us/library/cc756087(v=WS.10).aspx Essentially, right-click on the 'COMPUTERS' folder in AD and select 'Delegate Control'. Follow the wizard. Works in all server versions.