How to set Group Policy limitations for IT helpdesk?

I have an IT helpdesk, and i would like not to give the staff there  Administrator rights, but rather as following:
- rights to install and run software on workstations
- rights to login to servers in "read only" mode, with possibility to run limited applications ( allow them to run for instance Event Viewer so they can check logs), maybe some backup app., but no other rights on servers

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alex GreenProject Systems EngineerCommented:
Create 2 group policies, one for server and one for workstation

Drop your helpdesk group into remote users on the servers

Administrators on your workstations

That'll allow them to log onto the server but make no changes and administer your workstations which is ideally what they should have.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GreatSolutionsC.I.OAuthor Commented:
Thanks for the fast answer.
So here is what i understand and what i still need clarifications with:
1) Create HelpDesk group, and add the group as local administrator for each workstation ( do i have to go to each workstation or can it be done using group policy? )
2) Drop the HelpDesk group as remote user on each server ( same question as 1 )
3) Create group policies one for server and one for workstation: what should i modify/define in those group policies?
Alex GreenProject Systems EngineerCommented:

Follow that, it's step by step and you can do the same for remote users for your server policy
Mal OsborneAlpha GeekCommented:
Probably not what you want to hear, but this is not going to fly.  Any "corrupt" helpdesk staff will get around these restrictions with ease. All your efforts will do is make things difficult for legitimate support work, while offering negligible protection.

You really need to ensure you have support staff that you can trust.
GreatSolutionsC.I.OAuthor Commented:
@Mal Osborne you're right, they will eventually get admin rights. It's not that i don't trust them, but rather that i would like to avoid any unintentional issue while they're still learning our network...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.