Difference between AD builtin local and XP machine local Network Configuration Operators group?

All users in my organization do not have permission to change their LAN connection settings. I am trying to setup a helpdesk support account with just enough privilege to change LAN connection settings. I created and added the helpdesk support account, called ACCOUNTX, to the AD builtin Network Configuration Operators local group. Then, I logged on to a XP laptop using ACCOUNTX and tried changing the LAN settings. As soon as I clicked properties of the LAN connection, message popped up saying "you do not have sufficient privilege or permission to access or change them"

I removed ACCOUNTX from the AD Network Configuration Operators local group, then, I added ACCOUNTX to the XP laptop local Network Configuration Operators group and I was able to make change to LAN connection.

My question is, what's the difference between these two groups? I don't want to add the support account to every XP machine's Network Configuration Operators group locally. What should I do to accomplish this on domain level?
RoyoRAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Netman66Commented:
This is a simple task.

The AD account is for use on DCs, while the local account is just that - local.

For this, we will use Restricted Groups.
Create a new AD Security Group for the Helpdesk account(s) and add in the appropriate Principals.
Open up either a new GPO attached to an OU that holds all your workstations or at the Domain level (best choice).
Under Computer Configuration>Windows Settings>Security Settings - right click Restricted Groups and select Add Group.
Click Browse.
Enter in the name of the Security group you're going to use (the AD group).
Click Check Names then OK.
On the next applet in the LOWER section, click the button for Add.
Type in the XP local group name EXACTLY as it is shown in Local Computers and Users on a workstation.
Click OK.

Your domain group should now get added to the local group on all workstations in the path of the policy.
If you linked this new policy at the domain, there is one extra step to do.  In GPMC select (highlight) the new policy and select the Delegation tab.  Click the Advanced tab.  If the Enterprise Domain Controllers group is not listed, add it and set the permissions to Read (under Allow) and Apply Group Policy (under DENY) - this will ensure your group doesn't get added on any DCs.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.