One idea that has come up and is really handy, is creating a general support user so that you can login to machines and have Administrative rights to that machine. We have many groups, and each group has a Desktop Admin group that we add people to who need Administrative access. But we also use it to remove people that seem to abuse it.
Instead of manually adding the groups one by one, you can use dsquery and dsmod. You simple do a query to find the groups that you’ve created. In this example we’re looking for anything that ends in “Desktop Admin”:
dsquery group domainroot -name “*Desktop Admin”
Which returns all of the groups we need. Next step is to take the Global Desktop Admin group and add it to all of these groups. This is simple with dsmod:
dsquery group domainroot -name “*Desktop Admin” | dsmod group -addmbr “CN=Global Desktop Admin,OU=Network Admin,OU=Groups,DC=DOMAIN,DC=LAN”