Q: Best practice for IT Staff user rights 2

[EricDM606]

Here's the gist: The IT Staff here has always been very small and we handle everything from user problems to enterprise level projects. Thankfully, our situation has improved somewhat and we're developing a "Help Desk" squad of technicians to offload the daily issues so the Analysts can devote more time to completing projects.

My question: What's the best method to allow Help Desk level technicians to be able to:
a) NOT be domain administrators
b) Be able to add/remove PC's from the domain
c) Have local administrator rights over the PC's they'll be servicing throughout the day, but little or no access to servers.

I'm sure this gets asked alot. Any help would be greatly appreciated.

Eric M.

 

[Teknoratti]

Create a Help Desk Admin OU->set a global group and add the help desk members->add this global group to the local admin group on all client pc's.

 

[EricDM606]

As for that last part, what's the fastest way to add the global group to the local admin group on the client PC's? Am I stuck going into each machine and changing it or is there a faster way?

(reason being is that our offices are spread amongst 5 buildings)

Eric M.

 

[Teknoratti]

I know there is an easier way to do it, rather than going to each desktop. I think you can set GPO rights allowing your group of Help Desk personel to make the type of changes you seek.

I have to refresh my memory. I jump between Linux and M$ for weeks at a time, and it's difficult to remember.

 

[Teknoratti]

To join the local pc's to the domain, you should be a domain admin or have equivilent permissions to joing computers to a domain, which I think you can find when you configure a GPO for the OU you want to throw the help desk group in.

 

[mikiemov]

To add the helpdesk global group to the local admin groups on client pc's, take a look at restricted groups via GPO.

Open up a GPO, drill down to computer settings--windows settings---Security setting----restricted groups.

Add a group called administrators, then add the global group as members...and members of the global group will be local admins.

Mike,

 

[AndrewTait]

Quote:
"To join the local pc's to the domain, you should be a domain admin or have equivilent permissions to joing computers to a domain, which I think you can find when you configure a GPO for the OU you want to throw the help desk group in."

Make your Helpdesk Users administrators in the OU's to which you add PC's, put all the servers in a different OU. This way they can add PC's to the OU for PC's and not have admin rights to the Server OU.

He's not the messiah, he's a very naughty boy (Monty Python's The Life of Brian)

 

[EricDM606]

Mikiemov - what you've suggested, if I want the Help Desk users to reach all PC's, I apply this GPO on the domain root, correct? Or am I lost again?

Eric M.

 

[EricDM606]

AndrewTait - I get what you're saying, after reading it a few times. Thanks.

Eric M.