I have set up a group policy to add the members of the helpdesk group the the BUILTIN\Administrators group. This way, they can log on any workstation and do anything they have to do on them.
I did this via Computer Configuration > Windows Settings > Security Settings > Restricted Groups
Now, the problem is that they can access any file on any computer via the administrative shares (C$, D$, etc...).
I am OK for them to be able to access anything on a workstation when locally logged on it, but not to have access to these administrative shares.
Is there a way to give them local administrative privileges only when they are locally logged on the workstations ?
Thanks a lot !