Secure the internal admin group on the desktop

There are three typical tasks you need to perform to protect the Local Administrators group. Windows Server 2008 and Windows Vista SP1 (installed RSAT) will bring you incredible new controls that make these configurations soothing!

If your company is like most companies, there will be many users with internal administrator rights on their workstations. There are many solutions to eliminate this need, this is the direction that every company wants to implement. When users log on to the system as an internal administrator, IT staff will not be able to control that user or their computer. Therefore, to protect the local administrators group on workstations you need to use some powerful tools. There are three tasks you need to do to protect this group of users that will be introduced in this article. Windows Server 2008 and Windows Vista SP1 (installed RSAT) will bring you incredible new controls that make these configurations soothing!

Task 1: Remove user accounts in the domain

The task of protecting the internal administrators group is to ensure that users are no longer part of the group's membership. This is easier said than done because most companies configure the domain account of the user who is a member of this group when installing the user's computer.

Consider the scenario where you solve the problem with users who are logged on to their computer with local administrator rights and now you need to remove user accounts in the domain from the management group. internal administrator on each workstation in his production environment. You have up to 10,000 workstations, laptops, and remote users, so there is a task set for you.

If you create a script to perform this task, you will have to rely on the user to log out and return to the script to continue running. Never happen to about half of the workstations, so you need another way.

A perfect solution is to use Local Group - Group Policy Preference can perform this task in about 90 minutes. To do this, simply edit the Group Policy Object (GPO) and configure the following policy: User ConfigurationPreferencesControl Panel SettingsLocal Users and GroupsNewLocal Group , which will open the New Local Group Properties dialog box as shown in the figure. first.

Figure 1: Local Group GPP allows you to control membership of the local administrators group

After opening this property page, select 'Remove the current user'. This option will affect all accounts within the management scope of the GPO with this setting. This setting will apply during the next implicit refresh of Group Policy, which takes less than 90 minutes.

Task 2: Add Domain Admin and Local Administrator

The next step in the internal administrator group protection process is to ensure that the Global Domain Admins group and local Administrator account are all added to the local Administrators group on each desktop.

You can use the Restricted Groups policy contained in Windows Active Directory Group Policy to perform this task. The problem with this solution, however, is that this policy is a 'delete and replace' policy, not a policy in the true sense of appending data. So when you configure a policy to perform this task, you will delete the entire contents of the local Administrators group and replace it with these two accounts.

By using the Local Users and Groups policy described in task 1, you can not only remove the logged-in user, but you can also add two main accounts to ensure proper administrative privileges. is set up on each workstation, as shown in Figure 2.

Figure 2: Appending the member of the local Administrators group

Task 3: Revome specific accounts

The final step in protecting the local Administrators group is to ensure that only authenticated accounts have membership. In many cases, there are groups in the domain that are added to the local Administrators group to perform a certain task, complete a project, or perform maintenance. If these groups do not need to be in the local Administrators group, you can completely remove them with the new Local Users and Groups policy.

In a similar situation where you have added two accounts in task 2, you can also add accounts to the policy that need to be removed. To do this, select the ' Remove from this group ' option when adding an account to the policy, as shown in Figure 3.

Figure 3: Remove a certain group or user from the local Administrators group

Now you can control all members of the local Administrators group, and even remove unnecessary group and user accounts.

Get the tools and rules

In order for you to take advantage of Group Policy Preferences settings in Windows Server 2008 and Vista, you only need one of the following for your network:

1. Windows Server 2008 Server
2. Windows Vista SP1, installed Remote Server Administrative Toolset

Both of these operating systems have a new and improved Group Policy Management Console and Group Policy Management Editor.

The settings included in Group Policy Preferences are applicable to the following operating systems:

1. Windows XP SP2 and higher
2. Windows Server 2003 SP1 and higher version
3. Windows Vista SP1 and higher version
4. Windows Server 2008 and higher

However, any version of Windows 2000 does not work!

Conclude

100% of the truth is that IT staff have no control over the workstations where users have administrator privileges. Therefore all companies need to enforce the control of workstations as well as protect the internal management group. The steps introduced in this article are possible thanks to the help of Group Policy Preferences available in Windows Server 2008 and Vista. With just a few clicks, you can get 100% control over your workstations and the local admin group. These settings will apply for about 90 minutes, valid for all computers located in the domain and on the network.