restricted management for some users.

["Bruyere, Michel" <mbruyere () ezemcanada com>]

Hi, 
        I've been asked to do 2 things and I wanted to know what you
guys think would be the best way. I already have a way to achieve my
goal but I'm looking for a better way to do that (if any exist)

Here it goes

1- I need to setup a user (the technician) to access the properties of
accounts in AD (to reset passwords and/or unlock them). He has to log on
locally/interactively on one of the DC (the one with all the FMSO
roles).
BTW I had something strange when I've set the local policies on the DC
to allow the user to logon locally. I had set al admins groups/accounts
and this particular account. Few times after I did this, users began to
call me telling that they had a message that they couldn't logon
interactively. Is there a way to setup "local" policies on the DC to
allow a user account to logon locally? 


2- I have to give full control over 5 servers to 2 guys, the ERP dev
team. They should have the right to install/uninstall anything on the
servers. I though to give them an account which is local administrator
on those servers.



Thanks



M.Bruyere
Network/systems administrator
CompTIA A+, Network+
The quickest way to find something
is to start looking for something else.
:-)




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------