Announcement

Collapse
No announcement yet.

How would you remove the Domain Users group from the Builtin\Administrators group?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How would you remove the Domain Users group from the Builtin\Administrators group?

    So I have just come into an environment where I have been asked to fix the AD environment.

    One of the first things that I found which is giving me a heart attach and heart ache is that at some point in the past someone added the Domain Users group to the Builtin\Administrators group. Because of this even a completely new user can RDP to any server and have full access. This is a terrifying thought. Unfortunately this is a 24/7 production environment that cannot have extended down time so simply taking the Domain Users group out and checking for issues isn't an option.

    My proposed solution was to add all users in the Domain Users group into a new group (All Users) which is in the same OU as Domain Users. Then we could put that into the Builtin\Administrators group, let it propagate, remove the Domain Users group, let it propagate, and then we have a system will all users still having the same rights but we can create new test users and confirm applications and such are functioning correctly before removing production users from the Builtin\Administrators group.

    The problem I have run into though is that some time after I put the All Users group in the Builtin\Administrators group the All Users group got removed from the Builtin\Administrators group. I am unsure who or what did this. There is only one Domain Controller active in the environment (two others were built but had replication errors and caused the environment to crash and have to be restored). Initially I put the All Users group in the Builtin\Administrators group two days ago and found that it was gone this morning (When we were planning to remove the Domain Users group). I re-added the group and about 15 minutes later it was gone.

    I have enabled the Audit Directory Service Access in the DC Default Group Policy. I have also set up the SACL for the Builtin\Administrators to log all Successes and Failures for Everyone in the default categories I was given. Since then it has been an hour and there has been no change, All Users is still in the Builtin\Administrators group. I have logged of and on the server several times so hopefully everything has updated.

    I was hoping to get any other suggestions or corrections to my methodology for this as well as any other information anyone may have on what I can expect or should be looking for. Additional info on the environment it is a highly mixed environment with users on PC, Linux, and Mac, the servers are a mix of Windows and Linux and there are several physical appliances (storage and such) which utilize either AD directly or through LDAP. The DC itself is a 2012 Standard server but the Forest and Domain are running under the 2003 functional level. I have a lot of work moving forward however until I get all the users in the environment out of the Builtin\Administrators group I am afraid that any other changes would just cause more problems or would be masked by this massive issue.

  • #2
    Look here first
    Rules of life:
    1. Never do anything that requires thinking after 2:30 PM
    2. Simplicity is godliness
    3. Scale with extreme prejudice


    I occasionally post using a savantphone, so please don't laugh too hard at the typos...

    Comment


    • #3
      Originally posted by userPrincipalName View Post
      Look here first
      So If I am reading this correctly it would seem that if the AdminSDProtectFrequency isn't set and something stays for more than 60 minutes it won't be reverting back. Also I am not sure if I am missing it or I'm just to dense to understand but if you do need to make a change to an effected group how do you make sure you successfully do it? Is it just checking what group or groups what you need to change is in and then disabling those groups through changing the dsHeuristics in ADSI edit?

      Comment


      • #4
        Surely this is something as simple as tracking down which GPO is applying this and removing the relevant group?

        Comment


        • #5
          Originally posted by wullieb1 View Post
          Surely this is something as simple as tracking down which GPO is applying this and removing the relevant group?
          From what it read like I didn't think this was being applied with a GPO. Unfortunatly I can't tell you what is applying it because whatever is resetting it did it last night and reset the auditing I had on the group so I have no details.

          Comment


          • #6
            Ok so now I have more odd issues. I have gotten in and try to run the RunProtectAdminGroupTask through LDP.exe However it says I have insufficient Privilages. I find this odd because I am a Domain Admin, in the Builtin\Administrators group, an Enterprise Admin, in the Configuration for my DC under the EXteneded-Rights in the Run-Protect-Admin-Group-Task properties in security it has full read write for the groups I am in and has me in with full control. What other rights do I need to run this task?

            Comment


            • #7
              Originally posted by TheWeezel View Post
              From what it read like I didn't think this was being applied with a GPO. Unfortunatly I can't tell you what is applying it because whatever is resetting it did it last night and reset the auditing I had on the group so I have no details.

              How often does it reset?

              TBH it really does feel like you have a GPO applying this somewhere. How many GPO's do you have in place at the moment? What GPO's are applying to the system you are working on? Once you know what GPO's are applying you can then start to have a look at them in the Group Policy Management Console and see if it is there.

              Comment


              • #8
                Originally posted by wullieb1 View Post


                How often does it reset?

                TBH it really does feel like you have a GPO applying this somewhere. How many GPO's do you have in place at the moment? What GPO's are applying to the system you are working on? Once you know what GPO's are applying you can then start to have a look at them in the Group Policy Management Console and see if it is there.
                It resets once or twice a day at random times. There are only a half dozen GPO's for the domain and all are very basic. I'm not sure what GPO would be able to reset the members of the Builtin\Administrators group on the Domain Controller. I was going under the assumption that it was the AdminSDHolder's security process which seems to effect all "Protected Groups" of which the Builtin\Administrators would be. Sadly since every user has effectively passed through there they have all gained the same settings which will make them protected. So I now need to find out if manually removing the attributes that mark the groups and users as protected is going to break anything else.

                Comment


                • #9
                  IIRC the AdminSDHolder resets the permissions in AD for protected accounts.

                  More info on the AdminSDHolder here http://windowsitpro.com/security/dem...dholder-object

                  Now from reading your issue it would appear that your Domain Users are being added to the BUILT-IN\Administrators group that is located on the local the local PC. Am i right with this thinking or are you talking about the Built-In\Administrators group in AD?

                  What groups are the BUILTIN\Administrators members of?



                  Comment


                  • #10
                    So going by your Reddit thread you have the problem resolved and it was a GPO that was causing it using Restricted Groups??

                    https://www.reddit.com/r/sysadmin/co..._domain_users/

                    Comment

                    Working...
                    X