Senior Administrators and Junior Administrators

Is there a way to have 2 levels of Administrator access to the domain. I
would like to have senior admins have Full Permissions and junior admins
with levels that restrict them from locking out the senior admins or changing
primary passwords

 

Thanks for the post, in your opinion does a member of the server operators
group have enough priveledge to perform the duties of an admin without having
access to changing the Root Administrators Password?

 

As Cris replied, you can not effectively restrict an admin. However, you may
take a lesser account and delegate permissions to perform limited functions
on OU's and object in AD. So, you could perhaps delegate a group to have
password reset capability to an OU structure. You can also delegate other
permissions to them as well depending upon your needs.

...but once you make them an admin, trying to deny them abilities is not
effective.

 

You need to define the tasks you want your "junior" admin to perform and
then it can be determined how (and if) you can give them only those
permissions without makeing them a full administrator.

 

You can delegate tasks in AD - including password changes, etc - to specific
OUs. Then set up an MMC taskpad on any PC running the adminpak tools. This
isn't too tough to do if you're experienced with this stuff, but you have to
be careful about it.