We need to create a domain based user account in Windows 2008 Active Directory with specifically 1. Must not be administrator account or member of administrative group 2. must be able to add machines to domain 3. must be able to map shared drives 4. must be able to install programs, applications & print drivers or additional devices. Please advise the best way to do this without having to give the domain adminstrator password to all members in the IT Support team. Thank You & Kind Regards Philip

A. There is default limit for domain user to add workstataion to domain. B. Creator Owner have full right for directories he/she has created C. You ca add domain user to local group that has appropriate rigts D. Condider rights delegation E. Double check, what rights the current user are reasonable for his/her work, otherwise you may get into problems. Regards Milos

1. Must not be administrator account or member of administrative group. When ever you create a new user in the Active Directory by default its a member for domain users group so and domain user groups doesn't have any Administrative rights. 2. must be able to add machines to domain by default authenticated users (domain users) can only add 10 machines to the domain. see http://blogs.technet.com/jhoward/arc...18/403817.aspx for instructions on how to change. 3. must be able to map shared drives If the user has the permission on the shared drive he should be able to map the drive without any issues 4. must be able to install programs, applications & print drivers or additional devices. Add the domain user to local administrators account http://www.virmansec.com/blogs/skhairuddin

Thank You Guys, Dear Syed, with regards to the point 4, adding domain user to the local administrators account? can be this done through active directory? or group policy? or manually added on each machine? Thanks Again Philip

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/GetcontrolofyourseversusingStartupShutdownScript.htmlhttp://www.virmansec.com/blogs/skhairuddin

Hello, 1. Must not be administrator account or member of administrative group By Default, all new Active Directory users are not members of the local administrators group unless you had already configured a Restricted groups group policy to let them be members of such group. 2. must be able to add machines to domain By default, non-domain administrators users are able to add 10 computers to an Active Directory domain. Otherwise, you can delegate the ability of joining computers to the domain using the Active Directory delegation Wizard. 3. must be able to map shared drives He will be able to map the shared folders that he has access to. 4. must be able to install programs, applications & print drivers or additional devices. Here, he should be member of the local administrators group (For Windows XP, members of Power Users group are able to that also). Please advise the best way to do this without having to give the domain adminstrator password to all members in the IT Support team. Without giving the users the ability to be members of the local administrators group in order to install softwares, consider using SCCM or software deployment via group policies. with regards to the point 4, adding domain user to the local administrators account? can be this done through active directory? or group policy? or manually added on each machine? Use Restricted groups to do that. More here: http://support.microsoft.com/kb/279301 This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

2.must be able to add machines to domain 3.must be able to map shared drives 4. must be able to install programs, applications & print drivers or additional devices. You can add IT Support team to Local administrator group on client by group policy and any account in domain can join 10 clients to domain (you can increasing or decresing this number http://mabdelhamid.wordpress.com/2011/11/09/how-to-prevent-authenticated-users-from-joining-workstations-to-a-domain/ Mohamed Abd Elhamid Abd Elaziz Microsoft System Administrator My blog: http://Mabdelhamid.wordpress.com/