Re: Rid AD of Circular Group Membership

If your client machines are in an OU structure, make an equivalent
Restricted Group def for Workstation Administrators in a GPO linked
to that OU, then after a day remove the def in the Default Domain Policy
GPO. That at least gets them out from the domain's Administrators group.
From what I (think I) have heard, they are still Domain Admins so they
will see no loss of grants by not being in domains Administrators group.
Then the tasks are getting membership in Domain Admins reduced, and
factoring Workstation Adminsitrators, either by subsets of machines and
multiple such Workstation Administrators groups per subset (for people
that should have admin on all of the machines in that subset), and providing
for a local admin for the individual case-by-case, machine-by-machine.
I would try very hard to make sure that the account they use for day-to-day
is just a Domain Users member and is not a machine local Administrators
member anywhere (instead, they use their subset-WrkstnAdm account or
their machine local admin account when necessary; and the same is not
convenient for their day-to-day activities).
"savvy95" <savvy95@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:332B78A1-C06D-41B3-A535-BCB683A9CB5B@xxxxxxxxxxxxxxxx
Thanks for the tips.

Unfortunately since the previous Admin used Restricted Groups on the
Default
Domain Policy, the Workstation Administrators group is in every computer
in
the domain.

Politically speaking, the 30+ users only need admin rights on their own
machine. But as discussed earlier they really may not depending on their
questionnaire answers

What I'd like to do is give them local admin rights so they don't complain
to the CEO. One solution is to make them local admin manually, but the
administration of the task for revolving personnel is time-consuming. My
preferred solution is to limit their logon computer, thereby limiting
where
they are admin.

I'll try to keep you posted

"Roger Abell [MVP]" wrote:

Well, based on your reply elsewhere, 1000+ users, and clarification here
of the 30+ being the empowered, then I would think that there is room for
doing it up right, with some deliberation, use case
survey/info-collection,
and group plan.

To break the immediate circularity you really only need to determine what
is the net result of membership in each. Then one way would be to set
a new temp group with "the excess" made a member in each existing group
but with these each otherwise reduced to what you initially feel are
those
that will end up with each membership. That would give you a no-change
first cut as reduction, and a tree structure for the group nesting.

Administrators group in the domain can manage the domain controllers
(updates, services, etc.) and have use on members if it is used there.
They do not have broad access across client systems and member servers
(assuming Domain Admins default membership in every machine local
Administrators group is still intact), nor do they have empowerments over
Active Directory and it s objects. My guess is almost all that Domain
Admins is being used for by the 30+ can be delegated I(ex. dlg_AddUser
custom group, whose members have abiltiy to manipulate domain users
being defined, perhaps more, etc.). Administrators group of the domain
only needs accounts used for config/update of the DCs' OS.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"savvy95" <savvy95@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3EFCC5BF-5C03-4FBC-9287-07A13EE39C25@xxxxxxxxxxxxxxxx
Thank you Roger for your replies.

You are right, correcting this debacle will have educational and
political
implications and large butcher's paper will be needed. I'll be
sketching
until the new year when I will begin testing, then implementing mid/end
January.

Please explain the advantage of upgrading to VISTA in this situation.

BTW:
2nd thoughts; under assumption everyone is admin all ways.
Only the 30 employees are admin (of the domain)

I'll try to keep this going; because it might be useful to another
admin



"Roger Abell [MVP]" wrote:

2nd thoughts; under assumption everyone is admin all ways.

The quess is each has an account and uses it, rather than two
with the empowered used selectively. ??

So, if so, you have an educational, as well as the policital,
issue(s) to resolve - not just the restructuring if/as included.

For a larger environment we would sketch out the roles
in groups: adm on any station (non-svr), adm on subset or one,
server adm(s) similarly, gprs for delegations off of dom adms,
etc. and have gpo inject the more broadly used (adm on some
part of stations) into the machine local Administrators group.
The Users group has memberships appropriate for account(s)
that ought be able to log into each (subset/individual) machine.

The users who might answer "yes" if asked "do you do things
regularly other than install stuff? things that need admin?"
are candidates for a machine local account that is in that
machine's Administrators group. Their daily-use account
being just a Users member.

The idea is, get them reduced. The plan is then upgrade
them to Vista, that their reduced empowerment is then
constrained.

Even with environment some 50 or 100 times smaller by
machines, 200-300 by users, use of the few needed groups
can be used for "political" leverage. It is just a correct
design approach generally, and from that falls out some
flexibilities that can help to resolve the "issues" mentioned
previously. Notice that when groups are used through-out
to the local machine level, some of those groups can be
usefully present when empty, example: no one having
Administrators membership on a machine via domain
accounts other than the lightly used dom admins, but if one
needs, the whole crew has their dom user account elevated
to an admin on all of the stations until the upgrade is done.

Craft in the empowerments with the group design elected,
parallel current rights by populating these groups (can be
in two parts - what stays, what is just for now), find out
what IS commonly used, provide for it, transition from the
original empowerments to "the used" provisions.
Providing the grease entails some AD delegations, some
group control on the local machines - plus a local admin
where needed (local account).

Domain Admins should be little used in the size system you
mentioned if but a few key delegations are made. Those that
access DA, for config change or more likely monitoring AD,
scanning stations, etc. should be few; those that can DA use
a Domain Users acct for normal login.
Normal, is normal; their most common login.
Dancing to one's own drum aids the "educational" and the
"political" (perhaps better called the "owner's concerns")
issues to flex out their ultimate balances.

That's some real late night hand waves. But think of it this
way. If there is sensitive info, and it can flow, machine to
machine, at some point one may have to account for all
accounts with accessibility, perhaps account even tighter.
As a design can allow, ask how important is controlling the
"random domain account" sampling of any machine's store
of files now enabled by the existing. Etc. You need some
clarity on importance of key factors to the ownership.
Addressing what might be your political and educational
issues flows from there.

Good luck,
ra

"savvy95" <savvy95@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2AF54D66-CE39-4369-A373-1422ED5AFE8E@xxxxxxxxxxxxxxxx
I took over AD from the previous admin (and you'll see why) and ask
for
comments and suggest how I can back out of this:

Administrators Group has a members:
Domain Admins
Workstation Administrators (this was created so users can be
admins
of
their own machine)

Domain Admins Group has as members
Workstation Administrators

Workstation Administrators has as members
Domain Admins

Plus he added to the Restricted Groups on the Default Domain Policy
GPO,
Administrators and Power Users Group.

Now Everyone who's a Workstation Administrator is a Domain Admin;
and
there's over 30 people, including the CEO and other executives

I think simply removing the Workstation Administrators group will
cause
utter riot; because then users who were administrators of their
machine
will
no longer have that role. And some (silly) people ran services
under
their
account.

Can anyone help me back out of this, with minimal impact on user's
ability
to
control their own machine.

Thank you, thank you, thank you in advance.








.

Relevant Pages

  • Re: Rid AD of Circular Group Membership
    ... I'll try to keep this going; because it might be useful to another admin ... The quess is each has an account and uses it, ... part of stations) into the machine local Administrators group. ... Administrators Group has a members: ...
    (microsoft.public.windows.group_policy)
  • Re: Security Breach in AD! Help!
    ... For the domain check the membership of the administrators group, ... on every user account in any of those ... success and failure in Domain Controller Security Policy. ... admin credentials on. ...
    (microsoft.public.win2000.security)
  • Re: Rid AD of Circular Group Membership
    ... under assumption everyone is admin all ways. ... The quess is each has an account and uses it, ... part of stations) into the machine local Administrators group. ... Craft in the empowerments with the group design elected, ...
    (microsoft.public.windows.group_policy)
  • Re: Bad XP problem
    ... no way he can re-create the account that owns them. ... OTOH, the files probably *are* readable by administrators, so your advice is ... >> This has to do with a lost admin password in XP. ... The PC won't boot, it ...
    (sci.electronics.repair)
  • Re: Trouble with admin access after creating trust.
    ... Situation still exists - on the 2000 domain, I log on with an account ... from the 2003 domain yet I recieve no admin permissions. ... domain group called Administrators, which is a local built in group. ... into the 2000 local administrator group, but when I log on the 2000 ...
    (microsoft.public.windows.server.active_directory)
Loading