• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 57
  • Last Modified:

How to set Group Policy limitations for IT helpdesk?

I have an IT helpdesk, and i would like not to give the staff there  Administrator rights, but rather as following:
- rights to install and run software on workstations
- rights to login to servers in "read only" mode, with possibility to run limited applications ( allow them to run for instance Event Viewer so they can check logs), maybe some backup app., but no other rights on servers

Thanks
1
GreatSolutions
Asked:
GreatSolutions
  • 2
  • 2
3 Solutions
 
Alex Green3rd Line Server SupportCommented:
Create 2 group policies, one for server and one for workstation

Drop your helpdesk group into remote users on the servers

Administrators on your workstations

That'll allow them to log onto the server but make no changes and administer your workstations which is ideally what they should have.
0
 
GreatSolutionsC.I.OAuthor Commented:
Thanks for the fast answer.
So here is what i understand and what i still need clarifications with:
1) Create HelpDesk group, and add the group as local administrator for each workstation ( do i have to go to each workstation or can it be done using group policy? )
2) Drop the HelpDesk group as remote user on each server ( same question as 1 )
3) Create group policies one for server and one for workstation: what should i modify/define in those group policies?
0
 
Alex Green3rd Line Server SupportCommented:
http://www.dannyeckes.com/create-local-administrator-security-group-gpo/


Follow that, it's step by step and you can do the same for remote users for your server policy
0
 
Mal OsborneAlpha GeekCommented:
Probably not what you want to hear, but this is not going to fly.  Any "corrupt" helpdesk staff will get around these restrictions with ease. All your efforts will do is make things difficult for legitimate support work, while offering negligible protection.

You really need to ensure you have support staff that you can trust.
0
 
GreatSolutionsC.I.OAuthor Commented:
@Mal Osborne you're right, they will eventually get admin rights. It's not that i don't trust them, but rather that i would like to avoid any unintentional issue while they're still learning our network...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now