Many enterprises have one or more personnel dedicated to
supporting end users, a role often referred to as the help
desk, desktop support, or just support.
Help desk personnel are often asked to perform troubleshooting,
configuration, or other support tasks on client computers, and these
tasks often require administrative privileges. Therefore, the
credentials used by support personnel must be at the level of a member
of the local Administrators group on client computers, but desktop
support personnel do not need the high level of privilege given to the
Domain Admins group, so it is not recommended that you place them in
that group. Instead, you should configure client systems so that a group
representing support personnel is added to the local Administrators
group. Restricted groups policies allow you to do just that, and
in this lesson, you learn how to use restricted groups policies to add the help desk personnel
to the local Administrators group of clients, thereby delegating support
of those computers to the help desk. The same approach can be used to
delegate the administration of any scope of computers to the team
responsible for those systems.
1. Understanding Restricted Groups Policies
When you edit a Group Policy object (GPO) and expand the
Computer Configuration node, the Policies node, the Windows Settings
node, and the Security Settings node, you find the Restricted Groups
policy node, shown in Figure 1.
Restricted groups policy settings allow you to manage
the membership of groups. There are two types of settings: This
Group Is A Member Of (the Member Of setting) and Members Of This Group (the Members setting). Figure 2 shows
examples.
It’s very important to understand the difference between these
two settings. A Member Of setting indicates that the group specified
by the policy is a member of another group. On the left side of Figure 2, you can see a
typical example: The CONTOSO\Help Desk group is a member of the
Administrators group. When a computer applies this policy setting, it
ensures that the Help Desk group from the domain becomes a member of
its local Administrators group. If there is more than one GPO with
restricted groups policies, each Member Of policy is applied. For
example, if a GPO linked to the Clients organizational unit (OU)
specifies CONTOSO\Help Desk as a member of Administrators, and a
second GPO linked to the NYC OU (a sub-OU of the Clients OU) specifies
CONTOSO\NYC Support as a member of Administrators, a computer in the
NYC OU adds both the Help Desk and NYC Support groups to its
Administrators group in addition to any existing members of the group
such as Domain Admins. This example is illustrated in Figure 3. As you can see,
restricted groups policies that use the Member Of setting are
cumulative.
The second type of restricted groups policy setting is the
Members setting, which specifies the entire membership of the group
specified by the policy. The right side of Figure 2 shows a typical
example: the Administrators group’s Members list is specified as
CONTOSO\Help Desk. When a computer applies this policy setting, it
ensures that the local Administrators group’s membership consists
only of CONTOSO\Help Desk. Any members not
specified in the policy are removed, including Domain Admins. The
Members setting is the authoritative policy—it defines the final list
of members. If there is more than one GPO with restricted group policies, the GPO with the highest priority
prevails. For example, if a GPO linked to the Clients OU specifies the
Administrators group membership as CONTOSO\Help Desk, and another GPO
linked to the NYC OU specifies the Administrators group membership as CONTOSO\NYC Support, computers in
the NYC OU will have only the NYC Support group in their
Administrators group. This example is illustrated in Figure 4.