If AD is used in an enterprise for personnel and Computer Management, a Helpdesk position is generally set up in the enterprise. IT personnel of the company are responsible for the daily computer problems of employees of the company, in many cases, Helpdesk must have local administrator permissions on the computer to set software and systems on the computer, therefore, we need to add the Helpdesk user to the Administrators group of all employee computers in the AD group policy.
To ensure the security of the server, it is forbidden for the Helpdesk user to remotely connect to the server and its administrator identity for the server computer. Therefore, it is prohibited to add the Helpdesk user group to the Administrators group of the server. But another problem is that the company's servers are also in the domain, and the server computer will be in the same OU as the employee's computers, in addition, adjustments to the OU on all computers in the AD may result in errors in the relevant business system (as if an exception occurs when you adjust the OU on the server), so the OU cannot be adjusted. So how can we implement this restriction?
A simple and effective method is to set a group policy for users in the entire domain. This group policy adds the Helpdesk user group to the local computer and limits the security of the Group Policy, "Apply Group Policy" to deny all server computers ". The specific operation is as follows:
(1) create a Helpdesk user group in AD, add relevant Helpdesk users, create a ServerComputer group, and add all servers to the group.
(2) Open "AD users and computers" on DC, open the Properties window of the domain, and click "open" on the Group Policy tab to open group policy management,
Create a new Group Policy Helpdesk and link the Group Policy to the domain, which takes effect for all domain users,
(3) Right-click "Helpdesk" and select "edit" from the pop-up menu. A Group Policy Editor is displayed.
(4) Expand "computer settings", "Windows Settings", "Security Settings", and "restricted groups", and then create a new group "Helpdesk ", this group belongs to the "Administrators" group,
In this way, all computers in the domain will add the Helpdesk group to the local Administrators Group after applying the policy.
(5) Right-click "Helpdesk [xxx.com] policy" in the left-side control bar, select the "properties" option in the pop-up menu, switch to the Security tab, and add the server computer group ServerComputer, then, set the deny group policy in the following permissions.
(6) "OK" to set the Group Policy. Run gpupdate/force on the employee's computer to force the Group Policy to be refreshed immediately. You can see that Helpdesk has been added to the Administrators group. But now, if you log on to the server, you can see that Helpdesk will also be added to the Administrators group. Why?
If the computer is not restarted after the computer is added to the group, then he does not know that he is in the group, so the computer in the groupRequiredRestart! After restarting, we can see that Helpdesk is not added to the Administrators group.
It takes 24 hours for the server to run and cannot be restarted. What should I do? You can add one server to the security control in step (5) and set the deny group policy for each computer.
[Note: Why is the Group Policy Management opened on the DC Server not the same as in (2? This is because GPMC needs to be installed. For more information, see configure]