Selective Local Admin by Restricted Groups policy

Discussion in 'Microsoft Windows 2000 Group Policy' started by Rikard N, Dec 4, 2003.

  1. Rikard N

    Rikard N Guest

    Hi all,

    In our freshly installed Windows 2003 AD I know I will, for political
    reasons, be forced to give some of our users Administrator access to thier
    Workstations/PCs.

    If I create a group say "Workstation Local Admins" (WLA) and put it together
    with Domain Admins into the restricted group
    BUILTIN\Administrators (in a GPO in OU=Users, Machine Policy) every user I
    put into WLA will become local administrator on every machine they log on
    to, right?

    There is a problem with this approach I think. Every WLA user will also
    become administrator on all the other WLA users machines.
    This might be restricted by assign which machines the user is allowed to
    logon to.

    So far I have come up with three ways/paths to try:

    1.
    This one I got from Jeremy Moskowitz (@NTForum Stockholm, thank Jeremy,
    great speach btw) is to create at GPO for every user.
    This will solve the problem I am addressing but in a rather...messy way (as
    JM also pointed out).
    The good thing thou is that all users who are Administrators will be
    documented.
    A downside is that there might be many GPOs and that the user will be local
    administrator one every machine he/she logs on to.

    2.
    I was also thinking of something like this:
    Pseudocode:
    IF %USERNAME% MEMBEROF("Local Admins") THEN
    NET LOCALGROUP ADMINISTRATORS %USERNAME% /ADD
    END IF

    ....but... at startup/logon isn't it to late to do this? And at startup
    %username% is = what? SYSTEM?

    3.
    A nother solution might be to block the general GPO that assigns Domain
    Admins in Administrators and then manuallt administer every users computer
    and
    keep some sort of dokumentation. Downside: the user can remove Domain Admins
    from Administrators and I lose control...


    Does any of you guys have a better/good solution?

    Regards,

    ..Rikard
     
    Rikard N, Dec 4, 2003
    #1
    1. Advertisements

  2. Rikard N

    Philip Nunn Guest

    correct

    Philip Nunn

    "Rikard N" <> wrote in message
    news:%...
    > Hi all,
    >
    > In our freshly installed Windows 2003 AD I know I will, for political
    > reasons, be forced to give some of our users Administrator access to thier
    > Workstations/PCs.
    >
    > If I create a group say "Workstation Local Admins" (WLA) and put it

    together
    > with Domain Admins into the restricted group
    > BUILTIN\Administrators (in a GPO in OU=Users, Machine Policy) every user I
    > put into WLA will become local administrator on every machine they log on
    > to, right?
    >
    > There is a problem with this approach I think. Every WLA user will also
    > become administrator on all the other WLA users machines.
    > This might be restricted by assign which machines the user is allowed to
    > logon to.
    >
    > So far I have come up with three ways/paths to try:
    >
    > 1.
    > This one I got from Jeremy Moskowitz (@NTForum Stockholm, thank Jeremy,
    > great speach btw) is to create at GPO for every user.
    > This will solve the problem I am addressing but in a rather...messy way

    (as
    > JM also pointed out).
    > The good thing thou is that all users who are Administrators will be
    > documented.
    > A downside is that there might be many GPOs and that the user will be

    local
    > administrator one every machine he/she logs on to.
    >
    > 2.
    > I was also thinking of something like this:
    > Pseudocode:
    > IF %USERNAME% MEMBEROF("Local Admins") THEN
    > NET LOCALGROUP ADMINISTRATORS %USERNAME% /ADD
    > END IF
    >
    > ...but... at startup/logon isn't it to late to do this? And at startup
    > %username% is = what? SYSTEM?
    >
    > 3.
    > A nother solution might be to block the general GPO that assigns Domain
    > Admins in Administrators and then manuallt administer every users computer
    > and
    > keep some sort of dokumentation. Downside: the user can remove Domain

    Admins
    > from Administrators and I lose control...
    >
    >
    > Does any of you guys have a better/good solution?
    >
    > Regards,
    >
    > .Rikard
    >
    >
     
    Philip Nunn, Dec 4, 2003
    #2
    1. Advertisements

  3. Rikard N

    Rikard N Guest

    Sorry, but that did not help me much ;-)

    ..Rikard

    "Philip Nunn" <> wrote in message
    news:%...
    > correct
    >
    > Philip Nunn
    >
    > "Rikard N" <> wrote in message
    > news:%...
    > > Hi all,
    > >
    > > In our freshly installed Windows 2003 AD I know I will, for political
    > > reasons, be forced to give some of our users Administrator access to

    thier
    > > Workstations/PCs.
    > >
    > > If I create a group say "Workstation Local Admins" (WLA) and put it

    > together
    > > with Domain Admins into the restricted group
    > > BUILTIN\Administrators (in a GPO in OU=Users, Machine Policy) every user

    I
    > > put into WLA will become local administrator on every machine they log

    on
    > > to, right?
    > >
    > > There is a problem with this approach I think. Every WLA user will also
    > > become administrator on all the other WLA users machines.
    > > This might be restricted by assign which machines the user is allowed to
    > > logon to.
    > >
    > > So far I have come up with three ways/paths to try:
    > >
    > > 1.
    > > This one I got from Jeremy Moskowitz (@NTForum Stockholm, thank Jeremy,
    > > great speach btw) is to create at GPO for every user.
    > > This will solve the problem I am addressing but in a rather...messy way

    > (as
    > > JM also pointed out).
    > > The good thing thou is that all users who are Administrators will be
    > > documented.
    > > A downside is that there might be many GPOs and that the user will be

    > local
    > > administrator one every machine he/she logs on to.
    > >
    > > 2.
    > > I was also thinking of something like this:
    > > Pseudocode:
    > > IF %USERNAME% MEMBEROF("Local Admins") THEN
    > > NET LOCALGROUP ADMINISTRATORS %USERNAME% /ADD
    > > END IF
    > >
    > > ...but... at startup/logon isn't it to late to do this? And at startup
    > > %username% is = what? SYSTEM?
    > >
    > > 3.
    > > A nother solution might be to block the general GPO that assigns Domain
    > > Admins in Administrators and then manuallt administer every users

    computer
    > > and
    > > keep some sort of dokumentation. Downside: the user can remove Domain

    > Admins
    > > from Administrators and I lose control...
    > >
    > >
    > > Does any of you guys have a better/good solution?
    > >
    > > Regards,
    > >
    > > .Rikard
    > >
    > >

    >
    >
     
    Rikard N, Dec 5, 2003
    #3
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. KA Kueh

    Groups Policy to assign user to Local Machine Power Users Groups.

    KA Kueh, Sep 18, 2003, in forum: Microsoft Windows 2000 Group Policy
    Replies:
    3
    Views:
    1,362
    Nick Finco [MSFT]
    Sep 19, 2003
  2. Guest

    restricted groups have broken Admin access....help!

    Guest, Nov 5, 2004, in forum: Microsoft Windows 2000 Group Policy
    Replies:
    2
    Views:
    216
    Guest
    Nov 7, 2004
  3. Hansi

    Restricted Groups: "Member of" and add Domain Groups to local Groups

    Hansi, Mar 4, 2005, in forum: Microsoft Windows 2000 Group Policy
    Replies:
    1
    Views:
    925
    Steven Umbach
    Mar 5, 2005
  4. Shayne D. Swann

    Retaining local administrator groups when using restricted groups.

    Shayne D. Swann, Apr 20, 2005, in forum: Microsoft Windows 2000 Group Policy
    Replies:
    1
    Views:
    418
    Simon Geary
    Apr 20, 2005
  5. Joe

    Restricted Groups work for non builtin groups?

    Joe, Jul 21, 2006, in forum: Microsoft Windows 2000 Group Policy
    Replies:
    1
    Views:
    743
    Jerold Schulman
    Jul 21, 2006
Loading...

Share This Page