Re: Restricted groups local admins
- From: "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx>
- Date: Tue, 15 Aug 2006 22:41:42 +0200
Hi,
My comments are in-line.
--
Mike
Microsoft MVP - Windows Security
<snip>
I have created a group in AD called Local_Admins. I have put all users in
this group
Do you mean all users from your domain? If yes - why? This will make them
local administrators on all computers in your domain.
If you need this you could simply use "Domain Users" group...
I have then created a policy and used restricted users policy. I have
created a Group name Called Administrators
Hm? How did you create group named Administrators? It already exists in
Windows...
, did this by browsing the local PC
and selected the Administrators group. I have then addedI am not sure what happened here, but what it looks to me you selected
domain_name\Domain
admins and Domain_name\Local Admins to this group
_domain_ group called "Administrators" and added Domain Admins group inside
along with your new group called Local Admins. Yes this will also make them
administrators in domain.
As mentioned in my previous post -- you should not be using Restricted
Groups for this task. You should use script...
When I do this and go look at the built in Administrators group in AD, and
look at the Members of this group, both local admin and domain group are
members.
Then I go an look at the domain_name 'O' and under secutiry, the
Administrators group has full rights. (along with Domain admins and other
rights)
Thanks
"Miha Pihler [MVP]" wrote:
Hi,
Can you be specific which groups to avoid confusion? There is Built-in
Administrators group in Active Directory and there are built in
Administrators groups on every PC. Beside the name there is nothing else
in
common.
If user is member of Administrators group on his PC, he is not also
member
of Administrators group in domain! However -- this might not be true in
the
opposite direction... You should _not_ put your users in domain built-in
Administrators group! If you do -- yes they will have full access to
domain...
This is why I usually try to avoid using restricted groups for managing
built-in groups on client computers. Personally I rather use scripts. I
only
use Restricted Groups for managing domain groups -- such as Domain
Administrators, Enterprise Administrators and other similar groups.
Here is an example of such script:
net localgroup administrators "Domain\PC_Admins" /add
Replace Domain with netbios name of your domain. Replace PC_Admins with
name
of group that you created in your domain and add users to this domain.
Users
that you add to this group will not have administrator permissions on
this
computer while they will not have excessive permissions in domain.
Put above command in batch file and run it as startup script (not logon
script) using group policy.
--
Mike
Microsoft MVP - Windows Security
"Jordy" <Jordy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:85B8D30D-06DE-42FC-BA14-B8AF3578DE9C@xxxxxxxxxxxxxxxx
Hello
Thanks for the response...
The issue is, once I do the restricted group's and then check active
directory built in groups, the administrators group, that group is
listed
there (Local Admin group). Then I check out the security on the O and
the
Administrator group from AD has full rights there.
"Miha Pihler [MVP]" wrote:
Hi Jordy,
If you do this correctly -- users do not get excessive access to
domain
resources. It is not true that built in administrators group has full
access
to all domain resources (if you are talking about administrators group
on
your client PCs).
Can you check the following:
- Who are members (which users and groups) of Domain Administrators
group
in
your Active Directory?
- Who are members of Administrators group in your Active Directory
- Who are members of Enterprise Administrators group in your Active
Directory?
Make sure that groups like:
- domain users
- users
- ...
are not members of above mentioned groups.
--
Mike
Microsoft MVP - Windows Security
"Jordy" <Jordy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:316E34C9-EA06-4E40-858E-05C92EBC60B7@xxxxxxxxxxxxxxxx
Hello
I followed the technote on how to add a group to all computers in a
domain
for local admin rights. This works great except I have found out,
that
once I
do this, all users have complete access to the domain objects. I
assume
because by default the Built in administrator group has full rights
to
the
domain. I assume I can just remove this group from the security tab
of
my
O
unit in active directory.
Thanks
.
- Follow-Ups:
- Re: Restricted groups local admins
- From: Jordy
- Re: Restricted groups local admins
- References:
- Re: Restricted groups local admins
- From: Miha Pihler [MVP]
- Re: Restricted groups local admins
- From: Miha Pihler [MVP]
- Re: Restricted groups local admins
- From: Jordy
- Re: Restricted groups local admins
- Prev by Date: Re: Schema update
- Next by Date: Re: Restricted groups local admins
- Previous by thread: Re: Restricted groups local admins
- Next by thread: Re: Restricted groups local admins
- Index(es):
Relevant Pages
|
Loading
