We have a consulting starting work for us, he will need access to a domain controller, AD, Print Server - I need to be able to track/audit where the consultant logs in and what he does - what are the minimum permissions he needs to log in? Do I have to add this account to the Domain Admin group? How can I set up auditing on the account to keep a record of what actions are taken - all privileged actions. Thanks - sJMP

First, do not add this user to domain admin group, just grant the permission the user needs. To audit this account, read this http://www.windowsecurity.com/articles/auditing-user-accounts.html

Does anyone have any suggestions. Want to track when this account logs on/off. And what they do. thanks, SJMP

It's NOT POSSIBLE to track exactly what user is doing. To enable Logon/Logoff audit, go to Domain Controller Security Policy -> Local Policies -> Audit Policy. Then, configure Security Event Log size and check that log for logon events. To configure permissions for standard user to log on to a domain controller, check User Rights group policy node. Configure Allow Logon Locally user right. Never assign Domain Admins group membership for users that are not Domain admins.MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA