Solved

helpdesk to local admin group best practice?

Posted on 2014-01-09
6
826 Views
Last Modified: 2014-01-29
I want to add helpdesk group with one help desk member to a set of local admin group for some station on the domain.  (2008 AD but 2003 domain func level and stations are xp win7 x32 and x64 on the win7. )

best route:

computer config - restricted groups. applying to comp ou

user config - gpo with local users and groups gpp. applying to user

Delegation - on the ou the helpdesk group is part of along with the computers?  this one i'm  not sure about.

Looking for best insights and specifics on computer vs user config being where to setup the gpo/gpp/delegation on.

Thx
0
Comment
Question by:dee30
  • 2
  • 2
  • 2
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39768117
You can use restricted groups to do this, florian has a great writeup here

http://www.frickelsoft.net/blog/?p=13

Group policy preferences can also be used   http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Please test first so you get a feel for it.

Thanks

Mike
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 334 total points
ID: 39768176
From personal experience Restricted Groups is the route which would be easiest IMO. This is a computer based policy that does not require a reboot.

When you are using GP Preferences if you have XP or server 2003 in your environment you will also need to make sure that you have the updates for Client Side Extensions in order for this to work.

If you decide to go with GPP here are the client side extension links below...

Windows XP - http://www.microsoft.com/en-ca/download/details.aspx?id=3628

Windows 2003 - http://www.microsoft.com/en-ca/download/details.aspx?id=6955

Will.
0
 

Author Comment

by:dee30
ID: 39768191
great... Speco1 this is the opinion/weigh in i was looking for.   I've used GPP in the past and wondering which is truly the best practice or easiest or better method.

the restricted group route is applied to computer with ou of the computers correct?   Regardless I'll review the links.  Mostly win7 at this time but will need it to work for some xp too.  thx
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 166 total points
ID: 39768247
It applies to the OU you link it to that is correct.   I'd setup a test OU or do it in a lab first so you get a feel for it.

If you look at Florian's link notice you can either append to what is already there or remove/wipe and start new.  I'm guessing you want to append.

Thanks

Mike
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 334 total points
ID: 39768259
Group Policy Preferences is the newer alternative method as it came out wiht server 2008. Windows Wista/7/8 clients along with servers OS's 2008 or higher are compatible with GPP out of the box. eariler versions of client/server operating systems are not natively compatible and require the above updates.

GPP is the newer way but i beleive that restricted groups work just as well, and there is no hassel if you still have old clients in your network environment.

And to answer your above question this policy for Restricted Groups applys to the OU where the computers reside. No Reboot required.

Will.
0
 

Author Closing Comment

by:dee30
ID: 39819457
Thank you again.
0

Featured Post

Make managing Office 365 email signatures a breeze

Are you using Office 365? Having trouble trying to set up email signatures for your users? Getting stressed out managing multiple signatures? Need an easier way to manage? We have a solution for you, try the most-user friendly and powerful signature management tool on the market.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now