RE: local admin/ domain admin

["Smith, Ryan" <rsmith () cff org>]

Hi Sohail,

Based off the brief description of what you are trying to accomplish,
you can do this via Delegation.  Basically create a group and stuff all
of your helpdesk personal into that group then delegate the OU that has
all of your users and/or machine accounts to the group that you created
for your helpdesk.  For a more detailed answer take look at the
following link: 

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/directory/activedirectory/stepbystep/ctrlwiz.mspx

HTH,

Ryan

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Sohail Sarwar
Sent: Tuesday, March 06, 2007 1:33 PM
To: WALI; security-basics () securityfocus com
Subject: local admin/ domain admin

Hi Guys,

        I want to create an administrator account on the domain for my
helpdesk persons.  I basically want them to only add machines to the
domain, and add user accounts for new employees with the option to
change their passwords.  Basically, I want do not want to give them the
administrators password.. and control what be done potentially and
accidentally...  Can some one assist and let me know how I can do that?
Or provide me the procedures.  Any guidance would be great!

Regards,
Sohail