Domain user and local workstation group

[Jim]

I'm new to AD. I have this problem. I added a new user to
domain. I want him to be able to use some of the domain
resources like files and printers. I don't want to give
him full admin right on the domain computers. I want him
to be able to maintain an admin status on the computer he
is login on from (his fixed workstation ). How do I go
about that? I tried looking into local policy but I could
only manage to prevent him from login on to the computer
in question.
Second part of the question would be to allow him to log
onto only one (his workstation) computer in the domain.
Finally the thrid question would be to make an user domain
admin yet restrict him from managing my personal
workstation (accessing files) which is a part of the same
domain.
Can some one point me in the right direction?

TIA
Jim

 

[Matjaz Ladava [MVP]]

Add that user to local Administrators group on his own Workstation. This way
he will be admin of his computer, but not of the domain.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[Jim]

Thanks,
That was simple enough. Any idea how would i prevent this
user from logging on other computers?
Also how would I deny access to a workstation that is
part of a domain to Domain Admin group?

 

[Matjaz Ladava [MVP]]

You have several options to prevent users from logging on to pther
workstation. Oen is to learn Group policy where you can setup security
setting (Logon Localy) which defines which user/group can logon localy. In
user properties in AD you also have the posibility to specify on which
workstation your user can logon (Logo on to workstation button).

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com