helpdesk to local admin group best practice?

Posted on 2014-01-09
Medium Priority
Last Modified: 2014-01-29
I want to add helpdesk group with one help desk member to a set of local admin group for some station on the domain.  (2008 AD but 2003 domain func level and stations are xp win7 x32 and x64 on the win7. )

best route:

computer config - restricted groups. applying to comp ou

user config - gpo with local users and groups gpp. applying to user

Delegation - on the ou the helpdesk group is part of along with the computers?  this one i'm  not sure about.

Looking for best insights and specifics on computer vs user config being where to setup the gpo/gpp/delegation on.

Question by:dee30
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
LVL 57

Expert Comment

by:Mike Kline
ID: 39768117
You can use restricted groups to do this, florian has a great writeup here


Group policy preferences can also be used   http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Please test first so you get a feel for it.


LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 1002 total points
ID: 39768176
From personal experience Restricted Groups is the route which would be easiest IMO. This is a computer based policy that does not require a reboot.

When you are using GP Preferences if you have XP or server 2003 in your environment you will also need to make sure that you have the updates for Client Side Extensions in order for this to work.

If you decide to go with GPP here are the client side extension links below...

Windows XP - http://www.microsoft.com/en-ca/download/details.aspx?id=3628

Windows 2003 - http://www.microsoft.com/en-ca/download/details.aspx?id=6955


Author Comment

ID: 39768191
great... Speco1 this is the opinion/weigh in i was looking for.   I've used GPP in the past and wondering which is truly the best practice or easiest or better method.

the restricted group route is applied to computer with ou of the computers correct?   Regardless I'll review the links.  Mostly win7 at this time but will need it to work for some xp too.  thx
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 498 total points
ID: 39768247
It applies to the OU you link it to that is correct.   I'd setup a test OU or do it in a lab first so you get a feel for it.

If you look at Florian's link notice you can either append to what is already there or remove/wipe and start new.  I'm guessing you want to append.


LVL 53

Accepted Solution

Will Szymkowski earned 1002 total points
ID: 39768259
Group Policy Preferences is the newer alternative method as it came out wiht server 2008. Windows Wista/7/8 clients along with servers OS's 2008 or higher are compatible with GPP out of the box. eariler versions of client/server operating systems are not natively compatible and require the above updates.

GPP is the newer way but i beleive that restricted groups work just as well, and there is no hassel if you still have old clients in your network environment.

And to answer your above question this policy for Restricted Groups applys to the OU where the computers reside. No Reboot required.


Author Closing Comment

ID: 39819457
Thank you again.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses
Course of the Month14 days, 4 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question