Monday 12 June 2017

Protect Administrators Group Members via Group Policy Preference



Protect Administrators Group Members via Group Policy Preference




One of the problem we always face to restrict server local administrator’s privileges on computers. When you grant permissions someone, you can stop them from giving admin access to someone else on the same computer. Imagine if you have 1000 of computers in network, ideally we cannot discover all server’s local administrator’s membership and difficult to execute cleanup activity, if we do script based cleanup activity perhaps sometime genuine users will lost their permissions. Fortunately, Microsoft provides two mechanisms in Group Policy to manage local group membership. Restricted Groups allows you to overwrite the existing local group with what you have configured in the Group Policy setting. Though the Restricted group policy is straightforward and iron fist we have some limitations to execute dynamic variable.
The second one called Group Policy Preferences the Local Users and Groups extension allows you to ADD / Remove local administrators group members, additionally we have some enhanced feature to retrieve AD group certain variables.  

How do we protect local administrators group members via GPP?
Note: 
 You must make sure you don’t have any other Group Policy “Restricted Groups” settings applied to your computers as they will always override the group policy preferences settings. 
 Do not configure too many GPP Local Users and Group extension on the same OU or Sub OU, GPP would work based on their Order value, if we have too many GPP on the same OU hierarchy it may lead some conflicts.
LAB Speciation: 
Computer Name: W7-PC01
Computer Group: W7-PC01 (I have created group corresponding computer name; hence we can grant the permissions specific computer)
Group for Server Administrators: Server Admins we have some limitation to carry token size across network, hence we cannot put each server administrator 1000 of servers group. Hence I have created common group to grant access across servers.
OU: RootOU\ Computers (Computer placed on the ou)


Implement Group Policy: 
Open the Group Policy Management Console and edit the group policy that is applied to the scope of computers that you want to control.
Create GPO Restrict Local Administrators
 Go to the Computer Configuration > Preferences > Control Panel Settings > Local User and Groups option
Now click on Actions > New > Local Group
  Now you will be need to select “Administrators (built-in)” from the group name as this always selects the built-in administrators group even if you have renamed it to obfuscate the name of the admin account.
  Tick both “Delete all member users” and “Delete all member groups”. These two options will automatically remove any users or groups that are not explicitly being added to the group. You only need to do this on item number 1 in the list of settings as that setting will be processed last.
 Now you will need to make sure you have added back in the Domain Admin’s groups. To do this click the “Add…” button to bring up the “Local Group Member”
 Add “DOMAINNAME\Domain Admins” as it is a good practice to have the Domain Admins account as a member of the local admin group on all computers in the domain.  To do this we are going to use the DomainName variables. Click “Add…” again and now click in the “Name:” text field and then press F3. This will now bring up the “Select Variable” dialogue box. Click on the “DomainName” field and press “Select” and then “OK”.

 



   Adding Computer based group



Adding Server Admins for all Servers administration






By default, design even if we Enforce the policy to delete local Administrator this won’t be remove.
 All set! going forward the Group member’s administration taking care of Group Policy. Hence we don’t need to audit individual servers.
Though we have reduced too many administration effect, but still need to create Computer Name based AD group, there are some scripts are available in online to perform automatically via scheduled job.
**********************************End****************************************

No comments:

Post a Comment