Secure the internal admin group on the desktop
There are three typical tasks you need to perform to protect the Local Administrators group. Windows Server 2008 and Windows Vista SP1 (installed RSAT) will bring you incredible new controls that make these configurations soothing!
If your company is like most companies, there will be many users with internal administrator rights on their workstations. There are many solutions to eliminate this need, this is the direction that every company wants to implement. When users log on to the system as an internal administrator, IT staff will not be able to control that user or their computer. Therefore, to protect the local administrators group on workstations you need to use some powerful tools. There are three tasks you need to do to protect this group of users that will be introduced in this article. Windows Server 2008 and Windows Vista SP1 (installed RSAT) will bring you incredible new controls that make these configurations soothing!
Task 1: Remove user accounts in the domain
The task of protecting the internal administrators group is to ensure that users are no longer part of the group's membership. This is easier said than done because most companies configure the domain account of the user who is a member of this group when installing the user's computer.
Consider the scenario where you solve the problem with users who are logged on to their computer with local administrator rights and now you need to remove user accounts in the domain from the management group. internal administrator on each workstation in his production environment. You have up to 10,000 workstations, laptops, and remote users, so there is a task set for you.
If you create a script to perform this task, you will have to rely on the user to log out and return to the script to continue running. Never happen to about half of the workstations, so you need another way.
A perfect solution is to use Local Group - Group Policy Preference can perform this task in about 90 minutes. To do this, simply edit the Group Policy Object (GPO) and configure the following policy: User ConfigurationPreferencesControl Panel SettingsLocal Users and GroupsNewLocal Group , which will open the New Local Group Properties dialog box as shown in the figure. first.
Figure 1: Local Group GPP allows you to control membership of the local administrators group
After opening this property page, select 'Remove the current user'. This option will affect all accounts within the management scope of the GPO with this setting. This setting will apply during the next implicit refresh of Group Policy, which takes less than 90 minutes.
Task 2: Add Domain Admin and Local Administrator
The next step in the internal administrator group protection process is to ensure that the Global Domain Admins group and local Administrator account are all added to the local Administrators group on each desktop.
You can use the Restricted Groups policy contained in Windows Active Directory Group Policy to perform this task. The problem with this solution, however, is that this policy is a 'delete and replace' policy, not a policy in the true sense of appending data. So when you configure a policy to perform this task, you will delete the entire contents of the local Administrators group and replace it with these two accounts.
By using the Local Users and Groups policy described in task 1, you can not only remove the logged-in user, but you can also add two main accounts to ensure proper administrative privileges. is set up on each workstation, as shown in Figure 2.
Figure 2: Appending the member of the local Administrators group
Task 3: Revome specific accounts
The final step in protecting the local Administrators group is to ensure that only authenticated accounts have membership. In many cases, there are groups in the domain that are added to the local Administrators group to perform a certain task, complete a project, or perform maintenance. If these groups do not need to be in the local Administrators group, you can completely remove them with the new Local Users and Groups policy.
In a similar situation where you have added two accounts in task 2, you can also add accounts to the policy that need to be removed. To do this, select the ' Remove from this group ' option when adding an account to the policy, as shown in Figure 3.
Figure 3: Remove a certain group or user from the local Administrators group
Now you can control all members of the local Administrators group, and even remove unnecessary group and user accounts.
Get the tools and rules
In order for you to take advantage of Group Policy Preferences settings in Windows Server 2008 and Vista, you only need one of the following for your network:
- Windows Server 2008 Server
- Windows Vista SP1, installed Remote Server Administrative Toolset
Both of these operating systems have a new and improved Group Policy Management Console and Group Policy Management Editor.
The settings included in Group Policy Preferences are applicable to the following operating systems:
- Windows XP SP2 and higher
- Windows Server 2003 SP1 and higher version
- Windows Vista SP1 and higher version
- Windows Server 2008 and higher
However, any version of Windows 2000 does not work!
Conclude
100% of the truth is that IT staff have no control over the workstations where users have administrator privileges. Therefore all companies need to enforce the control of workstations as well as protect the internal management group. The steps introduced in this article are possible thanks to the help of Group Policy Preferences available in Windows Server 2008 and Vista. With just a few clicks, you can get 100% control over your workstations and the local admin group. These settings will apply for about 90 minutes, valid for all computers located in the domain and on the network.
You should read it
- 4 tips to open Local Group Policy Editor on Windows 8 / 8.1
- 8 'tweak' Windows Group Policy any Admin should know
- How to only allow Admin to send messages in WhatsApp group chat on iPhone and Android
- How to become a Facebook Admin group
- How to cancel Admin in Facebook group
- What is Admin? Admin Facebook, what is the website?
- How to use Local Group Policy Editor to tweak your computer
- Instructions for reviewing WhatsApp group participants
May be interested
- How to Make Someone an Admin of a Skype Chat Group on PC or Mactipsmake today will show you how to make someone an administrator (admin) in a chat group (chat group) on skype. you must be an administrator to give admin rights to other members.
- How to add Admin to Skype chat groupto add admin to the skype group we can do it quickly with the command.
- How to assign admin rights to users in Ubuntuthis article will describe how to make a user admin via the graphical user interface and explain what commands you need to use on the command line to add a user to the sudo (authorized) user group.
- 6 Group Policy Editor tweaks help improve securitywhether you're an it admin or a regular user looking to further secure your windows pc, these group policy editor tweaks will increase your pc's security.
- How to secure Ubuntu using Uncomplicated Firewallyou just installed ubuntu desktop 18.04 and can assume that your desktop is quite safe. that assumption is usually correct. however, we all know that any computer connected to the network is not safe.
- How to hide Telegram group members listwhen creating a telegram group, the group admin has the option to hide the group member list, so that only the admin can see it. members in the telegram group will not be able to see this list.
- Losing Admin permissions on Windows 10 / 8.1, this is a fixfor some reason, you lose admin rights on your windows 10 or windows 8.1 computer, every time you open an application on the screen you receive an error message. so how to restore the lost admin rights, please refer to the following article of network administrator.
- How to activate the hidden Admin account on Windows 7/8/10microsoft has hidden admin accounts in windows 7, 8, 10 or vista operating systems to ensure the system is not tampered with and affected by user settings. however, when used, many programs require running under amin.
- How to launch Admin rights application for User account in Windows?when many people use the same computer, creating multiple user accounts next to the admin account is a good option. the problem is that when using a user account, there are some features that will be limited. however, if you want to grant permission for a certain user right to use as admin but do not want to give admin account password to that person, you can refer to our guide below.
- How to rename a Facebook groupthe facebook group name can be changed again when the admin wants the group name to better match the group's content.