[JCBNAZ]

In our organization (Environment is Win 2k3 Server Ent. R2 x32, Win XP Pro x32) , the CIO has decided to tighten up our policy & procedures. We have a Help Desk that has a Tier 1, 2 & 3 level of support. Currently, the tier 2 & 3 uses the Builtin Domain Admin account (at the workstation level) for resolving issues, client configuration and troubleshooting. We want to create a secondary 'Junior Domain Administrator' account for tier 2 & 3 to use @ the workstations. This way it keeps prying eyes from the God account PW and allows us to keep the God account @ the Server level only.

Rather than adding individual support personnel to a Security Group in AD for this purpose, we want to set up one limited 'blanket' account IT personnel to use that has principle of Least Priviledge to User Accounts. Using the 'Run As' really doesn't fit our need either.

We only want this 'secondary account' to have the following capabilities when logging into the workstation level:

1. Add/Remove Programs
2. Change a User's Profile level (Power user, standard user, etc)
3. Configure / Change IP & Network settings @ the workstation
4. Attach / Detach client from Domain

What would the best configuration be for this account? Add this account to Administrator SG, then tighten it up via GPO? If GPO is the route, what is the best settings to use? My CIO asked if it would be easier to set up a local account on each PC and just use that. I disagree as 300+ clients would be a PITA and we should be able to restrict with GPO. I am not that knowledgable to get so granular with GPO's.

Are many of you using a secondary account for user support @ the workstation? You help and real world solutions would be appreciated!

Thanks!
John

P.S - Any needed clarification on this 'description' - just ask!