programming4us
         
 
 
Applications Server

Active Directory 2008 : Delegating the Support of Computers (part 1) - Understanding Restricted Groups Policies

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
7/17/2013 8:06:50 PM

Many enterprises have one or more personnel dedicated to supporting end users, a role often referred to as the help desk, desktop support, or just support. Help desk personnel are often asked to perform troubleshooting, configuration, or other support tasks on client computers, and these tasks often require administrative privileges. Therefore, the credentials used by support personnel must be at the level of a member of the local Administrators group on client computers, but desktop support personnel do not need the high level of privilege given to the Domain Admins group, so it is not recommended that you place them in that group. Instead, you should configure client systems so that a group representing support personnel is added to the local Administrators group. Restricted groups policies allow you to do just that, and in this lesson, you learn how to use restricted groups policies to add the help desk personnel to the local Administrators group of clients, thereby delegating support of those computers to the help desk. The same approach can be used to delegate the administration of any scope of computers to the team responsible for those systems.

1. Understanding Restricted Groups Policies

When you edit a Group Policy object (GPO) and expand the Computer Configuration node, the Policies node, the Windows Settings node, and the Security Settings node, you find the Restricted Groups policy node, shown in Figure 1.

The Restricted Groups policy node of a Group Policy object

Figure 1. The Restricted Groups policy node of a Group Policy object

Restricted groups policy settings allow you to manage the membership of groups. There are two types of settings: This Group Is A Member Of (the Member Of setting) and Members Of This Group (the Members setting). Figure 2 shows examples.

Member Of and Members restricted groups policies

Figure 2. Member Of and Members restricted groups policies

It’s very important to understand the difference between these two settings. A Member Of setting indicates that the group specified by the policy is a member of another group. On the left side of Figure 2, you can see a typical example: The CONTOSO\Help Desk group is a member of the Administrators group. When a computer applies this policy setting, it ensures that the Help Desk group from the domain becomes a member of its local Administrators group. If there is more than one GPO with restricted groups policies, each Member Of policy is applied. For example, if a GPO linked to the Clients organizational unit (OU) specifies CONTOSO\Help Desk as a member of Administrators, and a second GPO linked to the NYC OU (a sub-OU of the Clients OU) specifies CONTOSO\NYC Support as a member of Administrators, a computer in the NYC OU adds both the Help Desk and NYC Support groups to its Administrators group in addition to any existing members of the group such as Domain Admins. This example is illustrated in Figure 3. As you can see, restricted groups policies that use the Member Of setting are cumulative.

The second type of restricted groups policy setting is the Members setting, which specifies the entire membership of the group specified by the policy. The right side of Figure 2 shows a typical example: the Administrators group’s Members list is specified as CONTOSO\Help Desk. When a computer applies this policy setting, it ensures that the local Administrators group’s membership consists only of CONTOSO\Help Desk. Any members not specified in the policy are removed, including Domain Admins. The Members setting is the authoritative policy—it defines the final list of members. If there is more than one GPO with restricted group policies, the GPO with the highest priority prevails. For example, if a GPO linked to the Clients OU specifies the Administrators group membership as CONTOSO\Help Desk, and another GPO linked to the NYC OU specifies the Administrators group membership as CONTOSO\NYC Support, computers in the NYC OU will have only the NYC Support group in their Administrators group. This example is illustrated in Figure 4.

Results of restricted groups policies using the Member Of setting

Figure 3. Results of restricted groups policies using the Member Of setting

Restricted groups policies using the Members setting

Figure 4. Restricted groups policies using the Members setting

Other -----------------
- SharePoint 2010 : Virtual Machine Setup and SharePoint Configuration (part 3) - Security for the Services Dedicated to BI
- SharePoint 2010 : Virtual Machine Setup and SharePoint Configuration (part 2) - Set Up Your Own VMs on Windows 2008 R2
- SharePoint 2010 : Virtual Machine Setup and SharePoint Configuration (part 1) - Set Up a Pre-configured VM
- BizTalk Server 2010 : WCF SAP Adapter RFCs and BAPIs - Schema generation
- BizTalk Server 2010 : WCF SAP Adapter RFCs and BAPIs - Overview of SAP RFCs and BAPIs
- Exchange Server 2010 Administration Essentials : Understanding Exchange Server 2010 Organizations (part 2) - Using Configuration Containers Instead of Administrative Groups
- Exchange Server 2010 Administration Essentials : Understanding Exchange Server 2010 Organizations (part 1) - How Site-Based Routing Works
- Exchange Server 2010 Administration Essentials : Validating the Exchange Server Licensing
- Installing Configuration Manager 2007 : ConfigMgr Service Manager
- Installing Configuration Manager 2007 : Transfer Site Settings Wizard, Copy Packages Wizard
- Microsoft Dynamic AX 2009 : The Batch Framework (part 6) - Managing the Batch Server Execution Process - Manage Batch Jobs, Debug a Batch Task
- Microsoft Dynamic AX 2009 : The Batch Framework (part 5) - Managing the Batch Server Execution Process - Set Up Server Configuration, Create a Batch Group
- Microsoft Dynamic AX 2009 : The Batch Framework (part 4) - Creating a Batch Job - Using the Batch API
- Microsoft Dynamic AX 2009 : The Batch Framework (part 3) - Creating a Batch Job - From the Batch Job Form
- Microsoft Dynamic AX 2009 : The Batch Framework (part 2) - Batch-Enabling a Class
- Microsoft Dynamic AX 2009 : The Batch Framework (part 1) - Batch Processing in Dynamics AX, Common Uses of Batch Processing
- Using Non-Windows Systems to Access Exchange Server 2007 : Terminal Server Client for Mac
- Using Non-Windows Systems to Access Exchange Server 2007 : Configuring and Implementing Entourage for the Mac
- Microsoft Lync Server 2010 : Planning for Deploying External Services - High Availability
- Microsoft Lync Server 2010 : Planning for Deploying External Services - Firewall Configuration (part 2)
 
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
Celebrity Style, Fashion Trends, Beauty and Makeup Tips.