I need some help assigning the proper permissions to our new desktop support staff in AD (and anywhere else necessary). Here’s what they will be doing:
* all desktop PC support (so they need to be admin on all desktop PC’s)
* file share management (they will be assigning permissions to network shares, folders, files, etc)
* email/account management (adding/modifying email addresses, creating AD accounts, modifying group permissions, etc).
I’m aware of delegating permissions in AD for say the Users OU for AD account management, but I’m stuck on these two points:
* I want them to have limited access to the email server and file server to manage the file shares and ADUC (and not be able to hose the rest of the server).
* I want them to be able to have admin access to all desktop PC’s, without having any privileges on our servers. Can I assign the necessary permissions in AD?