Re: Restricted groups local admins

Hello

I have created a group in AD called Local_Admins. I have put all users in
this group
I have then created a policy and used restricted users policy. I have
created a Group name Called Administrators, did this by browsing the local PC
and selected the Administrators goup. I have then added domain_name\Domain
admins and Domain_name\Local Admins to this group

When I do this and go look at the built in Administrators group in AD, and
look at the Members of this group, both local admin and domain group are
members.

Then I go an look at the domain_name 'O' and under secutiry, the
Administrators group has full rights. (along with Domain admins and other
rights)

Thanks

"Miha Pihler [MVP]" wrote:

Hi,

Can you be specific which groups to avoid confusion? There is Built-in
Administrators group in Active Directory and there are built in
Administrators groups on every PC. Beside the name there is nothing else in
common.

If user is member of Administrators group on his PC, he is not also member
of Administrators group in domain! However -- this might not be true in the
opposite direction... You should _not_ put your users in domain built-in
Administrators group! If you do -- yes they will have full access to
domain...

This is why I usually try to avoid using restricted groups for managing
built-in groups on client computers. Personally I rather use scripts. I only
use Restricted Groups for managing domain groups -- such as Domain
Administrators, Enterprise Administrators and other similar groups.

Here is an example of such script:

net localgroup administrators "Domain\PC_Admins" /add

Replace Domain with netbios name of your domain. Replace PC_Admins with name
of group that you created in your domain and add users to this domain. Users
that you add to this group will not have administrator permissions on this
computer while they will not have excessive permissions in domain.
Put above command in batch file and run it as startup script (not logon
script) using group policy.

--
Mike
Microsoft MVP - Windows Security

"Jordy" <Jordy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:85B8D30D-06DE-42FC-BA14-B8AF3578DE9C@xxxxxxxxxxxxxxxx
Hello

Thanks for the response...

The issue is, once I do the restricted group's and then check active
directory built in groups, the administrators group, that group is listed
there (Local Admin group). Then I check out the security on the O and the
Administrator group from AD has full rights there.


"Miha Pihler [MVP]" wrote:

Hi Jordy,

If you do this correctly -- users do not get excessive access to domain
resources. It is not true that built in administrators group has full
access
to all domain resources (if you are talking about administrators group on
your client PCs).

Can you check the following:
- Who are members (which users and groups) of Domain Administrators group
in
your Active Directory?
- Who are members of Administrators group in your Active Directory
- Who are members of Enterprise Administrators group in your Active
Directory?

Make sure that groups like:
- domain users
- users
- ...

are not members of above mentioned groups.

--
Mike
Microsoft MVP - Windows Security

"Jordy" <Jordy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:316E34C9-EA06-4E40-858E-05C92EBC60B7@xxxxxxxxxxxxxxxx
Hello

I followed the technote on how to add a group to all computers in a
domain
for local admin rights. This works great except I have found out, that
once I
do this, all users have complete access to the domain objects. I assume
because by default the Built in administrator group has full rights to
the
domain. I assume I can just remove this group from the security tab of
my
O
unit in active directory.

Thanks






.

Relevant Pages

  • Re: Rid AD of Circular Group Membership
    ... and have use on members if it is used there. ... Administrators group is still intact), nor do they have empowerments over ... Admins is being used for by the 30+ can be delegated I(ex. ... The quess is each has an account and uses it, ...
    (microsoft.public.windows.group_policy)
  • Re: Adding User ID in Local Admin Group using Group Policy
    ... If you want to add and RESTRICT ... one would not use the Members list, ... The effect is that ClientAdm is added to the Administrators group ... Another useful one -- reset the local admin password while you're at it, ...
    (microsoft.public.windows.group_policy)
  • Re: Adding User ID in Local Admin Group using Group Policy
    ... If you want to add and RESTRICT ... one would not use the Members list, ... The effect is that ClientAdm is added to the Administrators group ... Another useful one -- reset the local admin password while you're at it, ...
    (microsoft.public.windows.group_policy)
  • Re: Restricted groups local admins
    ... Microsoft MVP - Windows Security ... look at the Members of this group, both local admin and domain group are ... Administrators group has full rights. ... your Active Directory? ...
    (microsoft.public.windows.server.setup)
  • Re: Restricted groups local admins
    ... If user is member of Administrators group on his PC, ... directory built in groups, the administrators group, that group is listed ... your Active Directory? ... Who are members of Administrators group in your Active Directory ...
    (microsoft.public.windows.server.setup)