Protect
Administrators Group Members via Group Policy Preference
One
of the problem we always face to restrict server local administrator’s
privileges on computers. When you grant permissions someone, you can stop them
from giving admin access to someone else on the same computer. Imagine if you have 1000 of computers
in network, ideally we cannot discover all server’s local administrator’s
membership and difficult to execute cleanup activity, if we do script based
cleanup activity perhaps sometime genuine users will lost their permissions.
Fortunately, Microsoft
provides two mechanisms in Group Policy to manage local group membership. Restricted Groups allows you to
overwrite the existing local group with what you have configured in the Group
Policy setting. Though the Restricted group policy is straightforward and iron fist
we have some limitations to execute dynamic variable.
The
second one called Group Policy
Preferences the Local Users and Groups extension allows you to ADD / Remove
local administrators group members, additionally we have some enhanced feature
to retrieve AD group certain variables.
How
do we protect local administrators group members via GPP?
Note:
You must make sure you don’t have any other Group Policy “Restricted Groups” settings applied to your computers as they will always override the group policy preferences settings.
Do not configure too many GPP Local Users and Group extension on the same OU or Sub OU, GPP would work based on their Order value, if we have too many GPP on the same OU hierarchy it may lead some conflicts.
You must make sure you don’t have any other Group Policy “Restricted Groups” settings applied to your computers as they will always override the group policy preferences settings.
Do not configure too many GPP Local Users and Group extension on the same OU or Sub OU, GPP would work based on their Order value, if we have too many GPP on the same OU hierarchy it may lead some conflicts.
LAB Speciation:
Computer Name: W7-PC01
Computer Name: W7-PC01
Computer
Group: W7-PC01 (I have
created group corresponding computer name; hence we can grant the permissions specific
computer)
Group
for Server Administrators: Server Admins
we have some limitation to carry token size across network, hence we cannot
put each server administrator 1000 of servers group. Hence I have created
common group to grant access across servers.
OU:
RootOU\ Computers
(Computer placed on the ou)
Implement Group
Policy:
Open the Group Policy Management Console and edit the group policy that is applied to the scope of computers that you want to control.
Open the Group Policy Management Console and edit the group policy that is applied to the scope of computers that you want to control.
Go to the Computer Configuration
> Preferences > Control Panel Settings > Local User and Groups option
Now click on Actions > New >
Local Group
Now you will be need to select
“Administrators (built-in)” from the group name as this always selects the
built-in administrators group even if you have renamed it to obfuscate the name
of the admin account.
Tick both “Delete all member users”
and “Delete all member groups”. These two options will automatically remove any
users or groups that are not explicitly being added to the group. You only need
to do this on item number 1 in the list of settings as that setting will be processed
last.
Now you will need to make sure you
have added back in the Domain Admin’s groups. To do this click the “Add…”
button to bring up the “Local Group Member”
Add “DOMAINNAME\Domain Admins” as
it is a good practice to have the Domain Admins account as a member of the
local admin group on all computers in the domain. To do this we are going to use the DomainName
variables. Click “Add…” again and now click in the “Name:” text field and then
press F3. This will now bring up the “Select Variable” dialogue box. Click on
the “DomainName” field and press “Select” and then “OK”.
Adding Computer based group
Adding Server Admins for all
Servers administration
By default, design even if we Enforce
the policy to delete local Administrator this won’t be remove.
All set! going forward the Group member’s
administration taking care of Group Policy. Hence we don’t need to audit individual
servers.
Though we have reduced too many
administration effect, but still need to create Computer Name based AD group,
there are some scripts are available in online to perform automatically via scheduled
job.
**********************************End****************************************
