[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


helpdesk to local admin group best practice?

Posted on 2014-01-09
Medium Priority
Last Modified: 2014-01-29
I want to add helpdesk group with one help desk member to a set of local admin group for some station on the domain.  (2008 AD but 2003 domain func level and stations are xp win7 x32 and x64 on the win7. )

best route:

computer config - restricted groups. applying to comp ou

user config - gpo with local users and groups gpp. applying to user

Delegation - on the ou the helpdesk group is part of along with the computers?  this one i'm  not sure about.

Looking for best insights and specifics on computer vs user config being where to setup the gpo/gpp/delegation on.

Question by:dee30
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
LVL 57

Expert Comment

by:Mike Kline
ID: 39768117
You can use restricted groups to do this, florian has a great writeup here


Group policy preferences can also be used   http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Please test first so you get a feel for it.


LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 1002 total points
ID: 39768176
From personal experience Restricted Groups is the route which would be easiest IMO. This is a computer based policy that does not require a reboot.

When you are using GP Preferences if you have XP or server 2003 in your environment you will also need to make sure that you have the updates for Client Side Extensions in order for this to work.

If you decide to go with GPP here are the client side extension links below...

Windows XP - http://www.microsoft.com/en-ca/download/details.aspx?id=3628

Windows 2003 - http://www.microsoft.com/en-ca/download/details.aspx?id=6955


Author Comment

ID: 39768191
great... Speco1 this is the opinion/weigh in i was looking for.   I've used GPP in the past and wondering which is truly the best practice or easiest or better method.

the restricted group route is applied to computer with ou of the computers correct?   Regardless I'll review the links.  Mostly win7 at this time but will need it to work for some xp too.  thx
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 498 total points
ID: 39768247
It applies to the OU you link it to that is correct.   I'd setup a test OU or do it in a lab first so you get a feel for it.

If you look at Florian's link notice you can either append to what is already there or remove/wipe and start new.  I'm guessing you want to append.


LVL 53

Accepted Solution

Will Szymkowski earned 1002 total points
ID: 39768259
Group Policy Preferences is the newer alternative method as it came out wiht server 2008. Windows Wista/7/8 clients along with servers OS's 2008 or higher are compatible with GPP out of the box. eariler versions of client/server operating systems are not natively compatible and require the above updates.

GPP is the newer way but i beleive that restricted groups work just as well, and there is no hassel if you still have old clients in your network environment.

And to answer your above question this policy for Restricted Groups applys to the OU where the computers reside. No Reboot required.


Author Closing Comment

ID: 39819457
Thank you again.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question