Announcement

Collapse
No announcement yet.

Securing Local Administrators by GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Securing Local Administrators by GPO

    Hi Everyone,

    I have some users on the network setup as Local Administrators and some as Power Users. Unfortunately, I have no choice but to grant Administrative rights to some users which use and install specific software (Quickbooks, MS SQL Server, Web developing software).

    Problem:
    1. The users which have local Administrative rights have access to other people's profiles (and computers) locally and on the network (ex: \\computername\c$\).

    2. They also have access to Local Users and Groups in the Computer Mangement Console (they can reset the Administrator account password).

    Those are the two major issues I'm facing at this time.

    Options:
    1. Restrict Local Administrators via GPO? How?
    2. Make everyone a Power User and then give them rights to do the tasks they need via GPO? How?

    Info: Win Server 2003 Ent SP2 (DC) and XP Pro SP3 (clients)
    Last edited by shades; 23rd September 2009, 18:47.

  • #2
    Re: Securing Local Administrators by GPO

    By pure GPO means, you can use the Restricted groups function to configure local groups.

    It does not work really well for your case, as it overwrites the local info, and doesn't easily allow different configs per machines. It is very useful for servers, for example you want to put a group called "SQL Administrators" in the local SQL admin groups of your SQL servers which are all in the same OU - it's perfect for that.

    I will suggest two approaches:

    1) Remove Local admin from everyone, configure it with restricted groups. Make each user a Power user on his machine using a startup script or something similar. You could even configure that as a logon script right now while they're admin. Then when you have issues with apps that require more than power user (should be pretty rare, power user is very powerful, too much IMO!), troubleshoot it individually. You may need to have an OU where the local admin is not forced so for extreme cases you can put machines in there.

    2) Simply create a logon script that will remove all local admins except for one predefined domain group that you'll be a member of, and the currently logged on user. This assumes that machines "belong" to users. Once the script has run once on every machine, unlink it.

    In both cases you'll need to think about making this automatical when you image new machines and/or join machines to the domain.
    VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

    Comment


    • #3
      Re: Securing Local Administrators by GPO

      I would make two suggestions.

      Firstly, prevent your users from installing software on the company computers, both with technical measures and with policy. Centralise administrative tasks so that only appointed system administrators do them - I'm sure you're aware of the licensing requirements etc that companies are required to adhere to

      Secondly, if an application refuses to run unless the user is an administrator, you need to do two things.

      One - use Process Explorer or something similar to see which areas of the registry and filesystem the program needs access to, then grant the user access to those areas. Filesystem permissions can be set using cacls in a startup script.

      Two - bitch and whine at the developer to fix his program

      One thing I will tell you now - if you take administrative permissions away from the users, there will be a queue of very unhappy people outside your office. Throw paperclips at them, call them names and then slap them with a printout of the new IT policy

      Best of luck
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: Securing Local Administrators by GPO

        I would advise against removing administrative access from too many users at the same time. I've seen such projects attempted, but once the business realizes that the money lost from removing access becomes more than the money lost on support for such a configuration, management may just halt the project.

        Doing it progressively usually works better. If the policy supports it, the best way to do it is usually with your new image. I'm used to pretty big environments (currently only have about 5000 users, but in almost 100 offices, previous clients were 5k to 40k users..some a bit more) where machines are changed pretty much every 3 to 5 years.

        So make your new image perfect, distribute that on new machines, find what machine is going to be used for another 2-3 years and 'migrate' those, but let the old ones die with their user as local admin..

        Users are usually easier to convince if you go:

        Hi ! Here's your new laptop ! Yeah, it has 4gigs of ram...yeah it's the new model. Of course it has Windows 7 and office 2010.



        ...oh by the way you don't have admin rights anymore. Kthxbye have a good day!
        Ok, my advice probably doesn't apply in the following cases:

        1) Small business
        2) Situation is out of control regarding what users do with their machines
        3) Auditors on your back
        VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

        Comment


        • #5
          Re: Securing Local Administrators by GPO

          Good point. In any case, whether you do it all at once or in stages, the most important phase of the project is the initial planning. I spent a month or so looking into the requirements of the software we had running that "required" administrative permisisons. Which in our case was a package written for Windows 95 in FoxPro, which somehow is still being supported and updated by the developers (it's the financials package - they can't *not* maintain it, what with the government constantly deciding to change the tax laws).
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: Securing Local Administrators by GPO

            Thanks for all the advice!

            We currently have 21 users at our office and expected to grow in Feb. 2010 to 40 users. The previous sys-admin had everyone setup as local administrators because he didn't want to deal with user complaints. I for one don't care about complaints or dependencies as much. I care about my network security and some angry employee who may decide to breach or sabotage our network. I don't want to give them that oppertunity.

            For now I've setup two Restricted Groups (Administrators and Power Users) and setup to security Groups which devide and determine the employee's security level. I've applied the GPO to all (parent OU) our workstations' (includes desktop and laptops). I've installed WSUS 3.0 SP1 in order for the updates to be installed with Administrative rights.

            I only have 8 out of 21 users who are currently local Administrators (it's not too bad). I would like to minimize this ratio and hopefully with little complaints

            I like the idea of deleting the default locally built-in Administrator account to prevent internal and external (pasword reset tools) hacking. I may do that for all the computers.
            Last edited by shades; 28th September 2009, 18:59.

            Comment


            • #7
              Re: Securing Local Administrators by GPO

              The problem I can see with that is that users who are admins of their machines are admins of other machines.. that would be a big no-no for me.

              That's why I configure my local admins with restricted groups (only on site techs have local admin), yet I configure power users through other means as I don't want to have users browsing each other's C$ etc..
              VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

              Comment


              • #8
                Re: Securing Local Administrators by GPO

                So bottom line...there is no way to restrict an Administrator (NTFS level or otherwise) from accessing other people's profile and C$ via GPO?

                The answer to this is: Power Users or Users.

                ...and there is no way to grant certain Administrative rights to a Power User to install any software they wish and run windows updates (in an automated fashion) via GPO?

                Perhaps if I post in the Petri Scripting section, someone may have a script which might work...not sure. I'm not very good at scripting but I know how to apply it and modify it to my needs.

                Comment


                • #9
                  Re: Securing Local Administrators by GPO

                  Well, if a guy is admin of many machines, no you can't restrict it at the NTFS level (unless you do some crazy explicit denies). You could disable admin shares and so on but to me that's not a good approach.

                  Now, for power users, a lot of rights coud be added. For example you can give power users the right to load and unload device drivers, install printer drivers, etc.

                  As for Windows update, you can configure the windows update GPO to allow non-administrators to receive notification, so that should be an easy fix.
                  VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

                  Comment


                  • #10
                    Re: Securing Local Administrators by GPO

                    You're totally right. It's possible. Thanks for reminding me.

                    Comment

                    Working...
                    X