Announcement

Collapse
No announcement yet.

W2k8 GPO - Prevent Role changes

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • W2k8 GPO - Prevent Role changes

    Hi - I have no idea if anyone remembers me at all, but I come for assistance if you can give it.

    I have a reasonably unique situation where our customer are ordering a bare Windows server for purposes unknown (which falls under one team's responsibility and allows for customer admin access) and are then adding IIS as a feature or role (which changes support ownership and admin access rights). However, they are not telling anyone; and then when a service stops they are holding us responsible for the support and maintenance.

    The Managers have decided that the best way around this is to prevent the installation of IIS by anyone but a select group of people in OUR organisation; even if the customer has Admin Access to the box. I have distilled this down into: Prevent non-members of an AD group from adding roles and features to the server.

    I have one method, which may be effective but may not; and that would be to prevent access to the "Programs and Features" control panel applet. However, I don't know if doing this removes the "Roles and Features" portion of the Manage Server window. What I would prefer is to disable the function, rather than the GUI element which supports it.

    So - to my question:

    Is it possible, via Group Policy, to restrict the use of the "Add Role or Feature" function to a particular subset of users, as listed in an AD group?

    Thanks!


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

  • #2
    Re: W2k8 GPO - Prevent Role changes

    I don't have a GPO solution that restricts the "Add Role or Feature" but have encountered your issue before.

    One way you could work around this is by having a baseline group policy that sets the IIS services to Disabled on all servers.

    Create a second policy that sets the IIS services to Automatic and filter it by global group membership. Essentially anyone can install IIS, but only the servers that are members of the security filter group can run IIS.

    You can expand this approach to other services you want to centrally manage (DHCP, SQL, etc.) by disabling them in the baseline, and just create the second filter policy to allow approved servers to run at Automatic.

    Comment


    • #3
      Re: W2k8 GPO - Prevent Role changes

      Not clear if this will fix the original problem that installing the role appears to be the trigger factor

      @Stonelaughter (welcome back, btw): do users need local admin?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: W2k8 GPO - Prevent Role changes

        Hi Tom

        Yes they do need local admin because it's their server; however if they install IIS it ceases to be their responsibility under the contract to manage it, whether they keep doing it or not. Can you say "financial penalty clauses"?


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: W2k8 GPO - Prevent Role changes

          @Scott

          That MIGHT actually be a solution worth exploring. If it can't run it can't affect anything


          Tom
          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

          Anything you say will be misquoted and used against you

          Comment

          Working...
          X