i believe this adds read only functionality to a windows/ad group which is ok. What I was looking at doing was this
Add windows\ad group helpdesk as a login.
Give it public access to database
create a user defined database role that has the read only rights and the one table update
add this wind\ad group login to the user defined database role
AM I missing something