System Admin - Tomasz

[Craig]

Hi Tomasz.
I was wondering if you could make this a bit clearer.
This is what you replied to me on the Microsoft Newsgroup
for Active Directory:

This was discussed today on this list - You can
accomplish this by
forcing administrators group membership via Restricted
Group settings in
GPO. This option lets You specify who will be a member of
specified
group (for example administrators) and then force this
setting on all
system which are under the scope of this GPO


The situation is this:
We have a tech that we do not want to make him a part of
any admin group, but yet have the capabilities of
installing software. Is that possible? I guess I did not
understand the "specified group" part. We do not want to
make him part of this group (administrators). We want to
keep him a domain user, but with the ability to install
software (limited administrative rights). I have tested
out a few things (delegating control, for one), but it
doesn't seem to have the choices that I want. It seems
that he needs to be at least a power user to the local
pc, because I tried it with a user account locally, which
didn't work. But when I gave him "Power user" rights, it
seemed to work.

Any ideas would be greatly appreciated.


Thanks again for your post.

Craig

 

[Oli Restorick [MVP]]

Delegation of rights allows a user or group to manipulate objects in the
Active Directory. This is distinct from having privileges at any particular
PC.

To be able to properly install software, he would need to be a member of the
local administrators group at any machine on which you want him to be able
to install software. You do not have to make him a domain admin for this.

There is a feature called "restricted groups" which allows you to control
the membership of local administrator groups. However, my preferred method
is to use group policy to run the command "net localgroup administrators
domain\mygroup /add" as a computer startup script. This will add "mygroup"
to the local administrators group..

The whole concept of a "restricted admin" is invalid. If you have the
ability to install software, you have the ability to change the software on
the PC and that could include making yourself an administrator of that PC.

Also, you also need to take into account any administrative dependencies
which may arise. For instance, if you routinely log in using a domain
administrator accounts anywhere other than domain controllers, an employee
with administrative rights to a machine where you log in with domain admin
rights could very easily elevate their privileges. This is not a weakness
in Windows. It's a weakness that many people have in their network
administration procedures.

Regards

Oli

 

[Tomasz Onyszko]

Oli Restorick [MVP] wrote:

Thanks Oli - I was called to answer to this question but Your answer is
perfect and I have nothing more to add.

(...)
There is a feature called "restricted groups" which allows you to control
the membership of local administrator groups. However, my preferred method
is to use group policy to run the command "net localgroup administrators
domain\mygroup /add" as a computer startup script. This will add "mygroup"
to the local administrators group.

(...)

I'm using "restricted roups " for this, the main reason is - if anyone
will add himself to the admin group when the workstation is working this
will get rid of him at the next GPO refresh at workstation. I know this
is not perfect also but is good enough for some "smart guys" or some
adminis which make mess in the group membership (You know this talk: "I
add this user for a moment to Administrator group and then, when I
finish my work I will remove him from it")