Task 1 - Remove Domain User Account
The initial task of securing the local Administrators group is to ensure that the user no longer has membership in the group. This is easier said than done, since most companies have configured the user’s domain account to have membership in this group at installation of the user’s computer.
Consider a scenario where you have resolved the issue of having users running as local Administrator and now you need to remove the domain user accounts from the local Administrators group on every desktop in your environment. You only have 10,000 desktops, laptops, and remote users.
If you create a script to perform this task, you are relying on the user to logoff and back on for the script to run. Not likely to happen on even half of the desktops, so you need another option.
As a perfect solution, you can use the Local Group – Group Policy Preference to accomplish the task within about 90 minutes of you implementing it. To get the job done, you simply need to edit a Group Policy Object (GPO) and configure the following policy:
User Configuration\Preferences\Control Panel Settings\Local Users and Groups\New\Local Group, which will open up the New Local Group Properties dialog box.
After you open up this property sheet, simply select the Remove the current user radio button. This will affect all user accounts that are in the scope of management of the GPO containing this setting. This setting will apply during the next Group Policy background refresh, which is under 90 minutes.
Task 2 - Add Domain Admins and Local Administrator
The next phase of your securing the local Administrators group is to ensure that the Domain Admins global group and the local Administrator account are both added to the local Administrators group in every desktop.
Many have attempted this by using the Restricted Groups policy that has been in Windows Active Directory Group Policy from the onset. The problem with this solution is that the Restricted Groups policy is a “delete and replace” policy, not an “append” policy. Thus, when you configure a policy to perform this task, you will wipe out the contents of the local Administrators group, replacing it with only these two accounts.
By using the Local Users and Groups policy that was described in Task 1, you can not only remove the current logged on user, but you can add in the two key accounts that will ensure you have the correct administrative privileges set on each desktop.
Task 3 - Remove Specific Accounts
The final stage of securing the local Administrators group is to ensure that only the correct accounts have membership. In many cases, there have been groups from the domain added to the local Administrators group to perform a specific task, complete a project, or perform maintenance. If these groups are no longer needed in the local Administrators group, you can simply remove them with the new Local Users and Groups policy.
In a similar fashion that you added the two accounts in task 2, you can add accounts to the policy that need to be removed. To do this, ensure that you select the "Remove from this group" option when you add the account to the policy.
Obtaining the Tools and the Rules
In order for you to take advantage of these settings, you only need to have ONE of the following on your network:
* Windows Server 2008 Server
* Windows Vista SP1, with the Remote Server Administrative Tool set installed
Both of these operating systems come with the new and improved Group Policy Management Console and Group Policy Management Editor.
The settings that are included in the new Group Policy Preferences can apply to the following operating systems:
* Windows XP SP2 and higher
* Windows Server 2003 SP1 and higher
* Windows Vista SP1 and higher
* Windows Server 2008 and higher
Source
The initial task of securing the local Administrators group is to ensure that the user no longer has membership in the group. This is easier said than done, since most companies have configured the user’s domain account to have membership in this group at installation of the user’s computer.
Consider a scenario where you have resolved the issue of having users running as local Administrator and now you need to remove the domain user accounts from the local Administrators group on every desktop in your environment. You only have 10,000 desktops, laptops, and remote users.
If you create a script to perform this task, you are relying on the user to logoff and back on for the script to run. Not likely to happen on even half of the desktops, so you need another option.
As a perfect solution, you can use the Local Group – Group Policy Preference to accomplish the task within about 90 minutes of you implementing it. To get the job done, you simply need to edit a Group Policy Object (GPO) and configure the following policy:
User Configuration\Preferences\Control Panel Settings\Local Users and Groups\New\Local Group, which will open up the New Local Group Properties dialog box.
After you open up this property sheet, simply select the Remove the current user radio button. This will affect all user accounts that are in the scope of management of the GPO containing this setting. This setting will apply during the next Group Policy background refresh, which is under 90 minutes.
Task 2 - Add Domain Admins and Local Administrator
The next phase of your securing the local Administrators group is to ensure that the Domain Admins global group and the local Administrator account are both added to the local Administrators group in every desktop.
Many have attempted this by using the Restricted Groups policy that has been in Windows Active Directory Group Policy from the onset. The problem with this solution is that the Restricted Groups policy is a “delete and replace” policy, not an “append” policy. Thus, when you configure a policy to perform this task, you will wipe out the contents of the local Administrators group, replacing it with only these two accounts.
By using the Local Users and Groups policy that was described in Task 1, you can not only remove the current logged on user, but you can add in the two key accounts that will ensure you have the correct administrative privileges set on each desktop.
Task 3 - Remove Specific Accounts
The final stage of securing the local Administrators group is to ensure that only the correct accounts have membership. In many cases, there have been groups from the domain added to the local Administrators group to perform a specific task, complete a project, or perform maintenance. If these groups are no longer needed in the local Administrators group, you can simply remove them with the new Local Users and Groups policy.
In a similar fashion that you added the two accounts in task 2, you can add accounts to the policy that need to be removed. To do this, ensure that you select the "Remove from this group" option when you add the account to the policy.
Obtaining the Tools and the Rules
In order for you to take advantage of these settings, you only need to have ONE of the following on your network:
* Windows Server 2008 Server
* Windows Vista SP1, with the Remote Server Administrative Tool set installed
Both of these operating systems come with the new and improved Group Policy Management Console and Group Policy Management Editor.
The settings that are included in the new Group Policy Preferences can apply to the following operating systems:
* Windows XP SP2 and higher
* Windows Server 2003 SP1 and higher
* Windows Vista SP1 and higher
* Windows Server 2008 and higher
Source
No comments:
Post a Comment