Hi, My company was using AD2003. We located a DC (included DHCP, DNS) on remote site office. Recently, my company joined a support service from service provider. They should have privilege for software installing for site computers and manage DHCP and DNS, but cannot change any AD setting. I just have a solution that created a normal account and add into local administrator group of computer. Does any better solution? Thanks Ray

You should not add the account assigned to the service provider to the DC's administrators as this effectively gives that account domain administrators privileges (which runs counter to your requirement that they should not have rights changing AD settings). I suggest you get a new server for the remote site and move all applications and services (except AD) that this service provider needs and then add the SP's account to the local administrators group of this new server.Regards,Salvador Manaois IIIMCITP | Serve/Enterprise AdministratorMCSE MCSA MCTS CE|H CIWABytes & Badz: http://badzmanaois.blogspot.com

Hello.If they require administrative rights to a group of computers you should create an OU to store those computers and grant them access to this OU. As for DNS and DHCP, there are two built in groups called DHCP Administrators and DNSAdmins that grant privileges to those services respectively. You should think about migrating these services to a seperate server from the Domain Controller. Also, you can grant permissions to the services specifically through the DNS console and DHCP console by right clicking on the server name and selecting the security tab. This will let you apply more restrictive permissions.

Domain Controllers is a group apart, the permissionsgo beyond those of a local administrator; these are effectivly network administrators. I can't exactly say what you could/should do; your question seems vague to me.If I understand correctly; you should not give local administrative permissions to remotely connected users.Information is the most valuable commodity I know off.

I see. Thank you everybody. I got more idea from your comment.