Okay, so we're getting a part-time person/ summer intern. What's the best way to create a limited access account so that he/she can Join machines to the domain at minimal but also maybe reset user passwords, unlock accounts but not have full access to Exchange or AD/ Forest?
I know the Delegation of OU, but I don't see anything in there specific pertaining to add/remove machines to Domain. We're a Server 08 R2 environment
Should I create a new Group, add him to it? And to which groups do I make him/her a user of? Trying to avoid giving "Domain Admins" or "Administrators" Groups.
Or on the individual user level, go with the delegation of OU method?
Thanks Gurus!
~Skelleyman