Solved

helpdesk to local admin group best practice?

Posted on 2014-01-09
6
823 Views
Last Modified: 2014-01-29
I want to add helpdesk group with one help desk member to a set of local admin group for some station on the domain.  (2008 AD but 2003 domain func level and stations are xp win7 x32 and x64 on the win7. )

best route:

computer config - restricted groups. applying to comp ou

user config - gpo with local users and groups gpp. applying to user

Delegation - on the ou the helpdesk group is part of along with the computers?  this one i'm  not sure about.

Looking for best insights and specifics on computer vs user config being where to setup the gpo/gpp/delegation on.

Thx
0
Comment
Question by:dee30
  • 2
  • 2
  • 2
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39768117
You can use restricted groups to do this, florian has a great writeup here

http://www.frickelsoft.net/blog/?p=13

Group policy preferences can also be used   http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Please test first so you get a feel for it.

Thanks

Mike
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 334 total points
ID: 39768176
From personal experience Restricted Groups is the route which would be easiest IMO. This is a computer based policy that does not require a reboot.

When you are using GP Preferences if you have XP or server 2003 in your environment you will also need to make sure that you have the updates for Client Side Extensions in order for this to work.

If you decide to go with GPP here are the client side extension links below...

Windows XP - http://www.microsoft.com/en-ca/download/details.aspx?id=3628

Windows 2003 - http://www.microsoft.com/en-ca/download/details.aspx?id=6955

Will.
0
 

Author Comment

by:dee30
ID: 39768191
great... Speco1 this is the opinion/weigh in i was looking for.   I've used GPP in the past and wondering which is truly the best practice or easiest or better method.

the restricted group route is applied to computer with ou of the computers correct?   Regardless I'll review the links.  Mostly win7 at this time but will need it to work for some xp too.  thx
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 166 total points
ID: 39768247
It applies to the OU you link it to that is correct.   I'd setup a test OU or do it in a lab first so you get a feel for it.

If you look at Florian's link notice you can either append to what is already there or remove/wipe and start new.  I'm guessing you want to append.

Thanks

Mike
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 334 total points
ID: 39768259
Group Policy Preferences is the newer alternative method as it came out wiht server 2008. Windows Wista/7/8 clients along with servers OS's 2008 or higher are compatible with GPP out of the box. eariler versions of client/server operating systems are not natively compatible and require the above updates.

GPP is the newer way but i beleive that restricted groups work just as well, and there is no hassel if you still have old clients in your network environment.

And to answer your above question this policy for Restricted Groups applys to the OU where the computers reside. No Reboot required.

Will.
0
 

Author Closing Comment

by:dee30
ID: 39819457
Thank you again.
0

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now