Announcement

Collapse
No announcement yet.

Windows 7 Local Admin Rights through Group Policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows 7 Local Admin Rights through Group Policy

    Scenario:

    We have got Windows 7 in our Environment.

    Currently, Giving user access local admin rights to Windows 7 by

    Computer - Manage - Local Users and Groups - Groups - Administrator - Adding specific user

    I am wondering if that can be automated by group policy and what's the best way to do

    My concern is
    • Whether all users will be local admin of all Windows 7 machine
    • OR Is it possible somehow user will only have local admin rights to their machine only
    Please help!

  • #2
    Re: Windows 7 Local Admin Rights through Group Policy

    You can add users to the Local Administrators groups via "Restricted Groups" group policy settings.

    This will add a user or group to the computers in an OU - there is no standard mechanism (short of some custom startup script) to make a user a local admin on one machine only.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Windows 7 Local Admin Rights through Group Policy

      Although it will be better for you in the long run to figure out a way for them to do their jobs without having local admin access.

      Comment


      • #4
        Re: Windows 7 Local Admin Rights through Group Policy

        Originally posted by Ossian View Post
        You can add users to the Local Administrators groups via "Restricted Groups" group policy settings.

        This will add a user or group to the computers in an OU - there is no standard mechanism (short of some custom startup script) to make a user a local admin on one machine only.
        I also read that is possible by linking startup script to computer OU

        1. Create a local group in the domain
        2. Add local domain group to the local administrator group on the machine. Deploy via
        startup script as computer will have system rights
        3. Add users to domain group

        Is there any pros / cons of using startup script over restricted groups.

        Comment


        • #5
          Re: Windows 7 Local Admin Rights through Group Policy

          Well, one thing to consider when using Restricted Groups (which makes it pretty useless, at least in my environment) is that it replaces contents of the local group completely. Whatever you add to Restricted Groups will be the only thing you see in those groups on the local machine. It's all or nothing. Never tried the startup script thing, so can't really comment there.

          And I would still advise against making your users local admins. That's just going to create major headaches for you down the road, unless you're using non-persistent virtual desktops or Deep Freeze or something. The power of the user should always be limited to just what they need to accomplish their task.

          Comment


          • #6
            Re: Windows 7 Local Admin Rights through Group Policy

            Bertmax - There are two options with restricted groups. One replaces the other appends. Agree on the local admin shouldn't be necessary though.

            tanz1110 - We do something similar but only on build. When our machines are built we use a script to create an AD group with the machine name as part of it's name. This is added to the local admins group on the box and we control local admin access through that rather than a GPO or similar. Any changes to the local admin group on the box is removed (we have another product to automate this but manual is fine too). We also have a GPO that uses restricted groups to add a local desktop admins group and a security admins group on top.
            Having said all of that it is only developers that have a need of local admin for certain products only. Normal users have no need.
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Windows 7 Local Admin Rights through Group Policy

              Thanks Andy, that's good to know. I haven't messed with Restricted Groups in awhile; don't remember the append option.

              Comment


              • #8
                Re: Windows 7 Local Admin Rights through Group Policy

                Originally posted by tanz1110 View Post
                Is there any pros / cons of using startup script over restricted groups.
                Usually the best way to control local group memberships is using the Restricted Groups policy. When using Restricted Groups for replacing the current (not for just adding) members, you are realy in control who is and isn't a local admin (i.e. when a local admin had created his own secret local service account, it will be too removed from the group).

                some tips,
                - When replacing the members of the local administrators group you should never forget to include the domain admins group in the members section!!
                - you don't have to add the local administrator account because it will be a member automatically.
                - For creating a Restricted Goup it is recommended to use the Browse option for selecting any build-in objects rather than typing its name - to ensure this computer was able to resolve the (well known-)SID while adding. In case there are also computers in the domain with a OS in a differend language.
                - rather create domain groups (must have Global group scope) first instead of adding individual domain users directly as member of the restricted group.

                FYI you can also create a restricted group for ADDING members without altering the current members http://forums.petri.com/showpost.php...28&postcount=5


                So for most cases the Restricted Groups policy is I guess a better option than creating a startup script. It is much faster processing and is much more reliable.

                However in this case, were only the main user should become an administrator only on his her computer, you need to assign in some way one user to one computer first. And use this as a reference whether or not a user should be added to the local group of a computer.
                Basically it is a one time configuration, not something that normally should processed continuously at every boot. The most simple solution is, you add the user to the group *before* delivering the computer.
                For computers that already are delivered, you could run a script from a server, the script connects to each client and do what is needed there. A one time process.

                If however computers get a new main user assigned to it on a regular base, you have to look how you can centrally manage the assignement for each individuall client computer.
                Then, a computer startup script for making the configuration is probably the best option. (Altough I like to emphasize that adding end users to a administrators group on a domain client can never be a good solution).

                The user assignment can be done by using the ManagedBy attribute of the computer object.
                The computer startup script determines the distinguished name of the client, and use it to bind to the computer object in AD. There it reads who is the manager (assuming the manager is one user not a group in this sample). Adds the user to the local group administrators.
                And of course previously added domain users (the previous main user) must also be deleted from the group.


                Here is a sample startup script.
                The script is referencing the ManagedBy attribute of the computer object. Therefore you should use this attribute to administer the main user assignment for a client.

                Code:
                With CreateObject( "WinNTSystemInfo" )
                   strComputer = .ComputerName
                   strDomain   = .DomainName
                End With
                
                ' Bind to the local Administrators group
                Set objAdmGroup = GetObject("WinNT://" & _
                     strComputer & "/Administrators,group")
                
                ' Remove all current *domain\objects* of the group.... !
                For Each objMember In objAdmGroup.Members
                   strMember = objMember.AdsPath
                   IsDomainAcc = instr(1, _
                       strMember, strDomain & "/" & strComputer & "/",1)=0
                
                   If IsDomainAcc = true Then
                         IsDomAdmins = instr(1, _
                             strMember, strDomain & "/domain admins",1)
                   ' And..
                     If IsDomAdmins = false Then objAdmGroup.Remove(strMember)
                   End If 
                Next
                
                On Error Resume Next
                
                ' Set objRootDSE = GetObject("LDAP://" & strComputer & "/RootDSE")
                
                ' Bind to the computer object to get the manager.
                With CreateObject("ADSystemInfo")
                   Set objComputer = GetObject("LDAP://" & .ComputerName)
                   strManagerDN = objComputer.managedBy
                End With
                
                ' Bind to 'manager' (user-)object
                Set objManager = GetObject("LDAP://" & strManagerDN)
                strManager = replace(objManager.SAMAccountName,"$","")
                strManager = "WinNT://" & strDomain & "/" & strManager
                
                ' Make it a member of the group
                If Err.Number = 0 Then
                   If objAdmGroup.IsMember(strManager) = false _
                       Then objAdmGroup.Add(strManager)
                End If
                
                ' On Error Goto 0
                /Rems
                Last edited by Rems; 25th July 2012, 21:43.

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment

                Working...
                X