Hello, We would like to create a domain account with the exception that this "account" called "Sample" would only have the ability to make administrative changes on desktops in the domain; but no changes to any of the member servers that are part of the domain. Is there a simple yet secure method to accomplish this task? Looking forward to your response(s).

Hi, One option is that you can create two OUs in the domain, and move all desktops objects to one OU and all member servers objects to another. After that, you can create a GPO linked only to the OU where all desktops objects located and add the "account" to the local Administrators group on the desktops by configuring Restricted Groups group policy or GPP. Description of Group Policy Restricted Groups http://support.microsoft.com/kb/279301/en-usThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, How's everything going? I'd like to check if the suggestion has helped. If you need further assistance, please feel free to respond back. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Sorry for asking question in this thread. Could not find option to create a new thread. This is some what related to same area. Background: We have been asked to evaluate an agentless server monitoring tool. However, it uses WMI command to retrive information and pass on to the monitoring tool sever. To test, we have asked the Server team to provide a list of around 50 servers (test and production). However, they are unwilling to share user credentials as WMI requires the same to execute it. Question Is there any way we can create a domain user / only on those servers with permissions to execute only the WMI command? Regards RamgopalThanks & Regards Ram