Solved

helpdesk to local admin group best practice?

Posted on 2014-01-09
6
828 Views
Last Modified: 2014-01-29
I want to add helpdesk group with one help desk member to a set of local admin group for some station on the domain.  (2008 AD but 2003 domain func level and stations are xp win7 x32 and x64 on the win7. )

best route:

computer config - restricted groups. applying to comp ou

user config - gpo with local users and groups gpp. applying to user

Delegation - on the ou the helpdesk group is part of along with the computers?  this one i'm  not sure about.

Looking for best insights and specifics on computer vs user config being where to setup the gpo/gpp/delegation on.

Thx
0
Comment
Question by:dee30
  • 2
  • 2
  • 2
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39768117
You can use restricted groups to do this, florian has a great writeup here

http://www.frickelsoft.net/blog/?p=13

Group policy preferences can also be used   http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Please test first so you get a feel for it.

Thanks

Mike
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 334 total points
ID: 39768176
From personal experience Restricted Groups is the route which would be easiest IMO. This is a computer based policy that does not require a reboot.

When you are using GP Preferences if you have XP or server 2003 in your environment you will also need to make sure that you have the updates for Client Side Extensions in order for this to work.

If you decide to go with GPP here are the client side extension links below...

Windows XP - http://www.microsoft.com/en-ca/download/details.aspx?id=3628

Windows 2003 - http://www.microsoft.com/en-ca/download/details.aspx?id=6955

Will.
0
 

Author Comment

by:dee30
ID: 39768191
great... Speco1 this is the opinion/weigh in i was looking for.   I've used GPP in the past and wondering which is truly the best practice or easiest or better method.

the restricted group route is applied to computer with ou of the computers correct?   Regardless I'll review the links.  Mostly win7 at this time but will need it to work for some xp too.  thx
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 166 total points
ID: 39768247
It applies to the OU you link it to that is correct.   I'd setup a test OU or do it in a lab first so you get a feel for it.

If you look at Florian's link notice you can either append to what is already there or remove/wipe and start new.  I'm guessing you want to append.

Thanks

Mike
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 334 total points
ID: 39768259
Group Policy Preferences is the newer alternative method as it came out wiht server 2008. Windows Wista/7/8 clients along with servers OS's 2008 or higher are compatible with GPP out of the box. eariler versions of client/server operating systems are not natively compatible and require the above updates.

GPP is the newer way but i beleive that restricted groups work just as well, and there is no hassel if you still have old clients in your network environment.

And to answer your above question this policy for Restricted Groups applys to the OU where the computers reside. No Reboot required.

Will.
0
 

Author Closing Comment

by:dee30
ID: 39819457
Thank you again.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now