PC Review


Reply
Thread Tools Rate Thread

Selective Local Admin by Restricted Groups policy

 
 
Rikard N
Guest
Posts: n/a
 
      4th Dec 2003
Hi all,

In our freshly installed Windows 2003 AD I know I will, for political
reasons, be forced to give some of our users Administrator access to thier
Workstations/PCs.

If I create a group say "Workstation Local Admins" (WLA) and put it together
with Domain Admins into the restricted group
BUILTIN\Administrators (in a GPO in OU=Users, Machine Policy) every user I
put into WLA will become local administrator on every machine they log on
to, right?

There is a problem with this approach I think. Every WLA user will also
become administrator on all the other WLA users machines.
This might be restricted by assign which machines the user is allowed to
logon to.

So far I have come up with three ways/paths to try:

1.
This one I got from Jeremy Moskowitz (@NTForum Stockholm, thank Jeremy,
great speach btw) is to create at GPO for every user.
This will solve the problem I am addressing but in a rather...messy way (as
JM also pointed out).
The good thing thou is that all users who are Administrators will be
documented.
A downside is that there might be many GPOs and that the user will be local
administrator one every machine he/she logs on to.

2.
I was also thinking of something like this:
Pseudocode:
IF %USERNAME% MEMBEROF("Local Admins") THEN
NET LOCALGROUP ADMINISTRATORS %USERNAME% /ADD
END IF

....but... at startup/logon isn't it to late to do this? And at startup
%username% is = what? SYSTEM?

3.
A nother solution might be to block the general GPO that assigns Domain
Admins in Administrators and then manuallt administer every users computer
and
keep some sort of dokumentation. Downside: the user can remove Domain Admins
from Administrators and I lose control...


Does any of you guys have a better/good solution?

Regards,

..Rikard


 
Reply With Quote
 
 
 
 
Philip Nunn
Guest
Posts: n/a
 
      5th Dec 2003
correct

Philip Nunn

"Rikard N" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi all,
>
> In our freshly installed Windows 2003 AD I know I will, for political
> reasons, be forced to give some of our users Administrator access to thier
> Workstations/PCs.
>
> If I create a group say "Workstation Local Admins" (WLA) and put it

together
> with Domain Admins into the restricted group
> BUILTIN\Administrators (in a GPO in OU=Users, Machine Policy) every user I
> put into WLA will become local administrator on every machine they log on
> to, right?
>
> There is a problem with this approach I think. Every WLA user will also
> become administrator on all the other WLA users machines.
> This might be restricted by assign which machines the user is allowed to
> logon to.
>
> So far I have come up with three ways/paths to try:
>
> 1.
> This one I got from Jeremy Moskowitz (@NTForum Stockholm, thank Jeremy,
> great speach btw) is to create at GPO for every user.
> This will solve the problem I am addressing but in a rather...messy way

(as
> JM also pointed out).
> The good thing thou is that all users who are Administrators will be
> documented.
> A downside is that there might be many GPOs and that the user will be

local
> administrator one every machine he/she logs on to.
>
> 2.
> I was also thinking of something like this:
> Pseudocode:
> IF %USERNAME% MEMBEROF("Local Admins") THEN
> NET LOCALGROUP ADMINISTRATORS %USERNAME% /ADD
> END IF
>
> ...but... at startup/logon isn't it to late to do this? And at startup
> %username% is = what? SYSTEM?
>
> 3.
> A nother solution might be to block the general GPO that assigns Domain
> Admins in Administrators and then manuallt administer every users computer
> and
> keep some sort of dokumentation. Downside: the user can remove Domain

Admins
> from Administrators and I lose control...
>
>
> Does any of you guys have a better/good solution?
>
> Regards,
>
> .Rikard
>
>



 
Reply With Quote
 
 
 
 
Rikard N
Guest
Posts: n/a
 
      5th Dec 2003
Sorry, but that did not help me much ;-)

..Rikard

"Philip Nunn" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> correct
>
> Philip Nunn
>
> "Rikard N" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Hi all,
> >
> > In our freshly installed Windows 2003 AD I know I will, for political
> > reasons, be forced to give some of our users Administrator access to

thier
> > Workstations/PCs.
> >
> > If I create a group say "Workstation Local Admins" (WLA) and put it

> together
> > with Domain Admins into the restricted group
> > BUILTIN\Administrators (in a GPO in OU=Users, Machine Policy) every user

I
> > put into WLA will become local administrator on every machine they log

on
> > to, right?
> >
> > There is a problem with this approach I think. Every WLA user will also
> > become administrator on all the other WLA users machines.
> > This might be restricted by assign which machines the user is allowed to
> > logon to.
> >
> > So far I have come up with three ways/paths to try:
> >
> > 1.
> > This one I got from Jeremy Moskowitz (@NTForum Stockholm, thank Jeremy,
> > great speach btw) is to create at GPO for every user.
> > This will solve the problem I am addressing but in a rather...messy way

> (as
> > JM also pointed out).
> > The good thing thou is that all users who are Administrators will be
> > documented.
> > A downside is that there might be many GPOs and that the user will be

> local
> > administrator one every machine he/she logs on to.
> >
> > 2.
> > I was also thinking of something like this:
> > Pseudocode:
> > IF %USERNAME% MEMBEROF("Local Admins") THEN
> > NET LOCALGROUP ADMINISTRATORS %USERNAME% /ADD
> > END IF
> >
> > ...but... at startup/logon isn't it to late to do this? And at startup
> > %username% is = what? SYSTEM?
> >
> > 3.
> > A nother solution might be to block the general GPO that assigns Domain
> > Admins in Administrators and then manuallt administer every users

computer
> > and
> > keep some sort of dokumentation. Downside: the user can remove Domain

> Admins
> > from Administrators and I lose control...
> >
> >
> > Does any of you guys have a better/good solution?
> >
> > Regards,
> >
> > .Rikard
> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Retaining local administrator groups when using restricted groups. Shayne D. Swann Microsoft Windows 2000 Group Policy 1 20th Apr 2005 12:04 PM
Restricted Groups: "Member of" and add Domain Groups to local Groups Hansi Microsoft Windows 2000 Group Policy 1 5th Mar 2005 04:24 AM
Adding global groups to local admin groups on remote machines Shawn Microsoft Windows 2000 CMD Promt 6 26th Apr 2004 06:51 AM
Restricted Groups using local security policy Nigel Benton Microsoft Windows 2000 Security 0 2nd Oct 2003 09:26 PM
AD Policy - Add domain groups to local groups Martin McGinley Microsoft Windows 2000 Active Directory 3 3rd Aug 2003 10:14 PM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 09:51 AM.