All users in my organization do not have permission to change their LAN connection settings. I am trying to setup a helpdesk support account with just enough privilege to change LAN connection settings. I created and added the helpdesk support account, called ACCOUNTX, to the AD builtin Network Configuration Operators local group. Then, I logged on to a XP laptop using ACCOUNTX and tried changing the LAN settings. As soon as I clicked properties of the LAN connection, message popped up saying "you do not have sufficient privilege or permission to access or change them"
I removed ACCOUNTX from the AD Network Configuration Operators local group, then, I added ACCOUNTX to the XP laptop local Network Configuration Operators group and I was able to make change to LAN connection.
My question is, what's the difference between these two groups? I don't want to add the support account to every XP machine's Network Configuration Operators group locally. What should I do to accomplish this on domain level?