| Author | Messages | |
gabriel/tfi
Posts:381
 | | 12/01/2008 11:35 AM |
| I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| listmail
Posts:763
| | 12/01/2008 12:21 PM |
| I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| darren
Posts:329
| | 12/01/2008 12:44 PM |
| This is actually something that is supported in the new GP Preferences
feature. You can create a per-user preference under "Local Users and Groups"
that lets you add users to groups. In this case, GP Prefs explicitly
supports a check box called "Add the Current User" which greatly simplifies
the process of doing this without having to write complicated scripts. Of
course, all the normal caveats about how adding your users to the
administrators group is tantamount to total destruction of your environment,
apply J.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Monday, December 01, 2008 9:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| amulnick
Posts:162
| | 12/01/2008 1:59 PM |
| Doesn't that require owner/manager definition in AD on the computer object?
Seems like a long way to go to get what you want since you'd have to forever
be updating that information as machines come and go.
On Mon, Dec 1, 2008 at 12:38 PM, Darren Mar-Elia <darren@sdmsoftware.com>wrote:
> This is actually something that is supported in the new GP Preferences
> feature. You can create a per-user preference under "Local Users and Groups"
> that lets you add users to groups. In this case, GP Prefs explicitly
> supports a check box called "Add the Current User" which greatly simplifies
> the process of doing this without having to write complicated scripts. Of
> course, all the normal caveats about how adding your users to the
> administrators group is tantamount to total destruction of your environment,
> apply J.
>
>
>
> Darren
>
>
>
>
>
> ****
>
> Darren Mar-Elia
>
> CTO & Founder
>
> SDM Software, Inc.
>
> "*The Group Policy Experts"*
>
> www.sdmsoftware.com
>
> Spot and report on GPO inconsistencies quickly with *GPO Compare*
> http://www.sdmsoftware.com/group_policy_compare
>
>
>
>
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *joe
> *Sent:* Monday, December 01, 2008 9:17 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] How to manage users into machine local admins
> group.
>
>
>
> I agree, this is something that is done at build time by the machine
> builder when setting up the machine for the user in question, then it isn't
> an administrative burden; it is simply part of the build process.
>
>
>
> joe
>
>
>
> --
>
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
>
>
>
> ------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
> *Sent:* Monday, December 01, 2008 11:42 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] How to manage users into machine local admins
> group.
>
> If putting a group into the local administrators group, by definition you
> want to grant access to a large number of users to a large number of
> machines.
>
> If you only want the one user to be added to the local admins group, a
> script that is used at build time is most likely the least effort you can
> expend and still achieve your goal.
>
>
>
> Just adding them at build time works too.
>
>
>
> Am I missing something in your requirements?
>
>
>
>
>
> On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
>
> I think it's a long debated story, but what's the best
> practice/approach/tool to empower certain users (such as swdevs) to be
> admins of their own machines?
>
> Manually putting a user into the local administrators group is a burden
> (also startup scripts does not work in many conditions), also creating
> an AD security group that is member of local Administrators group of
> certain computers and add users to that AD group is manageable but an
> "admin user" is granted admin privilege to all those certain machines.
>
> Thanks - Gabriele.
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
| | | |
| listmail
Posts:763
| | 12/01/2008 2:21 PM |
| I think I am reading what Darren wrote differently... I am reading... Add
the current user as in whomever logs on... they become an admin. Sort of
like adding the interactive group to the admins group maybe...
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
Doesn't that require owner/manager definition in AD on the computer object?
Seems like a long way to go to get what you want since you'd have to forever
be updating that information as machines come and go.
On Mon, Dec 1, 2008 at 12:38 PM, Darren Mar-Elia <darren@sdmsoftware.com>
wrote:
This is actually something that is supported in the new GP Preferences
feature. You can create a per-user preference under "Local Users and Groups"
that lets you add users to groups. In this case, GP Prefs explicitly
supports a check box called "Add the Current User" which greatly simplifies
the process of doing this without having to write complicated scripts. Of
course, all the normal caveats about how adding your users to the
administrators group is tantamount to total destruction of your environment,
apply J.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Monday, December 01, 2008 9:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| darren
Posts:329
| | 12/01/2008 2:23 PM |
| Al-
Nope. This is a per-user policy so it resolves to the currently logged on user at logon time. Where it gets tricky is when you have machines used by multiple users, since you may not want to add each user to the local group.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
Doesn't that require owner/manager definition in AD on the computer object? Seems like a long way to go to get what you want since you'd have to forever be updating that information as machines come and go.
On Mon, Dec 1, 2008 at 12:38 PM, Darren Mar-Elia <darren@sdmsoftware.com> wrote:
This is actually something that is supported in the new GP Preferences feature. You can create a per-user preference under "Local Users and Groups" that lets you add users to groups. In this case, GP Prefs explicitly supports a check box called "Add the Current User" which greatly simplifies the process of doing this without having to write complicated scripts. Of course, all the normal caveats about how adding your users to the administrators group is tantamount to total destruction of your environment, apply J.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Monday, December 01, 2008 9:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
I agree, this is something that is done at build time by the machine builder when setting up the machine for the user in question, then it isn't an administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
If putting a group into the local administrators group, by definition you want to grant access to a large number of users to a large number of machines.
If you only want the one user to be added to the local admins group, a script that is used at build time is most likely the least effort you can expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| amulnick
Posts:162
| | 12/01/2008 2:31 PM |
| I think I prefer the old tried and true way of adding the user at join/build
time. But I'll have to investigate further to see if this provides value.
Cheers,
Al
On Mon, Dec 1, 2008 at 2:16 PM, Darren Mar-Elia <darren@sdmsoftware.com>wrote:
> Al-
>
> Nope. This is a *per-user* policy so it resolves to the currently logged
> on user at logon time. Where it gets tricky is when you have machines used
> by multiple users, since you may not want to add each user to the local
> group.
>
>
>
> Darren
>
>
>
>
>
> ****
>
> Darren Mar-Elia
>
> CTO & Founder
>
> SDM Software, Inc.
>
> "*The Group Policy Experts"*
>
> www.sdmsoftware.com
>
> Spot and report on GPO inconsistencies quickly with *GPO Compare*
> http://www.sdmsoftware.com/group_policy_compare
>
>
>
>
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
> *Sent:* Monday, December 01, 2008 10:55 AM
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] How to manage users into machine local admins
> group.
>
>
>
> Doesn't that require owner/manager definition in AD on the computer
> object? Seems like a long way to go to get what you want since you'd have
> to forever be updating that information as machines come and go.
>
> On Mon, Dec 1, 2008 at 12:38 PM, Darren Mar-Elia <darren@sdmsoftware.com>
> wrote:
>
> This is actually something that is supported in the new GP Preferences
> feature. You can create a per-user preference under "Local Users and Groups"
> that lets you add users to groups. In this case, GP Prefs explicitly
> supports a check box called "Add the Current User" which greatly simplifies
> the process of doing this without having to write complicated scripts. Of
> course, all the normal caveats about how adding your users to the
> administrators group is tantamount to total destruction of your environment,
> apply J.
>
>
>
> Darren
>
>
>
>
>
> ****
>
> Darren Mar-Elia
>
> CTO & Founder
>
> SDM Software, Inc.
>
> "*The Group Policy Experts"*
>
> www.sdmsoftware.com
>
> Spot and report on GPO inconsistencies quickly with *GPO Compare*
> http://www.sdmsoftware.com/group_policy_compare
>
>
>
>
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *joe
> *Sent:* Monday, December 01, 2008 9:17 AM
>
>
> *To:* ActiveDir@mail.activedir.org
>
> *Subject:* RE: [ActiveDir] How to manage users into machine local admins
> group.
>
>
>
> I agree, this is something that is done at build time by the machine
> builder when setting up the machine for the user in question, then it isn't
> an administrative burden; it is simply part of the build process.
>
>
>
> joe
>
>
>
> --
>
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
>
>
>
> ------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
> *Sent:* Monday, December 01, 2008 11:42 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] How to manage users into machine local admins
> group.
>
> If putting a group into the local administrators group, by definition you
> want to grant access to a large number of users to a large number of
> machines.
>
> If you only want the one user to be added to the local admins group, a
> script that is used at build time is most likely the least effort you can
> expend and still achieve your goal.
>
>
>
> Just adding them at build time works too.
>
>
>
> Am I missing something in your requirements?
>
>
>
>
>
> On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
>
> I think it's a long debated story, but what's the best
> practice/approach/tool to empower certain users (such as swdevs) to be
> admins of their own machines?
>
> Manually putting a user into the local administrators group is a burden
> (also startup scripts does not work in many conditions), also creating
> an AD security group that is member of local Administrators group of
> certain computers and add users to that AD group is manageable but an
> "admin user" is granted admin privilege to all those certain machines.
>
> Thanks - Gabriele.
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
>
| | | |
| listmail
Posts:763
| | 12/01/2008 2:38 PM |
| So it is like adding interactive to the admins group... Yeah?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Monday, December 01, 2008 2:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Al-
Nope. This is a per-user policy so it resolves to the currently logged on
user at logon time. Where it gets tricky is when you have machines used by
multiple users, since you may not want to add each user to the local group.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
Doesn't that require owner/manager definition in AD on the computer object?
Seems like a long way to go to get what you want since you'd have to forever
be updating that information as machines come and go.
On Mon, Dec 1, 2008 at 12:38 PM, Darren Mar-Elia <darren@sdmsoftware.com>
wrote:
This is actually something that is supported in the new GP Preferences
feature. You can create a per-user preference under "Local Users and Groups"
that lets you add users to groups. In this case, GP Prefs explicitly
supports a check box called "Add the Current User" which greatly simplifies
the process of doing this without having to write complicated scripts. Of
course, all the normal caveats about how adding your users to the
administrators group is tantamount to total destruction of your environment,
apply J.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Monday, December 01, 2008 9:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| darren
Posts:329
| | 12/01/2008 2:48 PM |
| Yep, basically, except it is explicitly adding the user id rather than the
Interactive principal.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Monday, December 01, 2008 11:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
So it is like adding interactive to the admins group... Yeah?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Monday, December 01, 2008 2:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Al-
Nope. This is a per-user policy so it resolves to the currently logged on
user at logon time. Where it gets tricky is when you have machines used by
multiple users, since you may not want to add each user to the local group.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
Doesn't that require owner/manager definition in AD on the computer object?
Seems like a long way to go to get what you want since you'd have to forever
be updating that information as machines come and go.
On Mon, Dec 1, 2008 at 12:38 PM, Darren Mar-Elia <darren@sdmsoftware.com>
wrote:
This is actually something that is supported in the new GP Preferences
feature. You can create a per-user preference under "Local Users and Groups"
that lets you add users to groups. In this case, GP Prefs explicitly
supports a check box called "Add the Current User" which greatly simplifies
the process of doing this without having to write complicated scripts. Of
course, all the normal caveats about how adding your users to the
administrators group is tantamount to total destruction of your environment,
apply J.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Monday, December 01, 2008 9:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:381
| | 12/01/2008 2:54 PM |
| Case one works great for Desktop support team group that commonly requires elevated privileges on client machines.
For 1:1 administrators (1 user : 1 machine), such as the software developers, the script at build time does not fully what I expect, I would need something that a) is managed centrally and b) enforces/refresh that configuration on a regular basis.
I think a 3rd party tool is needed and it would be great if it could allow “temp” administrative rights from a central console (say you want to grant a user the admin privileges for 3 hours on his own machine).
Thanks – Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: lunedì 1 dicembre 2008 17.42
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
If putting a group into the local administrators group, by definition you want to grant access to a large number of users to a large number of machines.
If you only want the one user to be added to the local admins group, a script that is used at build time is most likely the least effort you can expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| amulnick
Posts:162
| | 12/01/2008 3:04 PM |
| | That's very different from what has been discussed so far. Not an uncommon
request either. I've seen solutions to this, but I'll have to dig it out of
old emails to see if I can recall the products.
On Mon, Dec 1, 2008 at 2:49 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
> Case one works great for Desktop support team group that commonly
> requires elevated privileges on client machines.
>
>
>
> For 1:1 administrators (1 user : 1 machine), such as the software
> developers, the script at build time does not fully what I expect, I would
> need something that a) is managed centrally and b) enforces/refresh that
> configuration on a regular basis.
>
>
>
> I think a 3rd party tool is needed and it would be great if it could allow
> "temp" administrative rights from a central console (say you want to grant a
> user the admin privileges for 3 hours on his own machine).
>
>
>
> Thanks – Gabriele.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
> *Sent:* lunedì 1 dicembre 2008 17.42
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] How to manage users into machine local admins
> group.
>
>
>
> If putting a group into the local administrators group, by definition you
> want to grant access to a large number of users to a large number of
> machines.
>
> If you only want the one user to be added to the local admins group, a
> script that is used at build time is most likely the least effort you can
> expend and still achieve your goal.
>
>
>
> Just adding them at build time works too.
>
>
>
> Am I missing something in your requirements?
>
>
>
>
>
> On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
>
> I think it's a long debated story, but what's the best
> practice/approach/tool to empower certain users (such as swdevs) to be
> admins of their own machines?
>
> Manually putting a user into the local administrators group is a burden
> (also startup scripts does not work in many conditions), also creating
> an AD security group that is member of local Administrators group of
> certain computers and add users to that AD group is manageable but an
> "admin user" is granted admin privilege to all those certain machines.
>
> Thanks - Gabriele.
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
| | | |
| ClydeBurns
Posts:16
| | 12/01/2008 3:16 PM |
| Couldn't you add a help desk specific group to the workstation at build time. Then let the help desk log the " I need local admin access " request to the change control / ticketing system. Then do the actual permissioning manually.
How often do you anticipate having to give a user local admin access?
Clyde Burns
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 3:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
Another situation that might warrant this is giving admin access to helpdesk personnel for a temporary time. Let them elevate their privs.
Al
On Mon, Dec 1, 2008 at 2:53 PM, Gabriele Scolaro <gabro@gabro.net<mailto:gabro@gabro.net>> wrote:
Yes, but...
a) What about users you need "to privilege" after the machine has been built and released to the them?
b) How to have a global view of who is an administrator of what machine?
c) How to assign temp admin privileges when start-up scripts are not a viable solution? (say road warriors that establish 3rd party VPN connection after they loggend onto their systems with cached credentials? This sounds challenging indeed...).
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
I agree, this is something that is done at build time by the machine builder when setting up the machine for the user in question, then it isn't an administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
If putting a group into the local administrators group, by definition you want to grant access to a large number of users to a large number of machines.
If you only want the one user to be added to the local admins group, a script that is used at build time is most likely the least effort you can expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net<mailto:gabro@gabro.net>> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
-----------------------------------------
This message is confidential, intended only for the named
recipient(s) and may contain information that is privileged or
exempt from disclosure under applicable law. Any patient health
information must be delivered immediately to intended recipient(s).
If you are not the intended recipient(s), you are notified that the
dissemination, distribution or copying of this message is strictly
prohibited. If you receive this message in error, or are not the
named recipient(s), please notify the sender at either the e-mail
address or telephone number above and discard this e-mail. Thank
you.
| | | |
| gabriel/tfi
Posts:381
| | 12/01/2008 3:20 PM |
| Having everyone who logs onto the computer being an admin is not exactly
something desiderable
L but something to think about, thanks for your
input! (Can you point me to some docs about this GPP?)
Cant that GPP being easily coupled with a kind of Logon on Locally right
or similar so that only the machine owner and the desktop support team are
affected by the Add the Current User GPP.
Thank you very much,
Regards Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: lunedì 1 dicembre 2008 18.39
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
This is actually something that is supported in the new GP Preferences
feature. You can create a per-user preference under Local Users and Groups
that lets you add users to groups. In this case, GP Prefs explicitly
supports a check box called Add the Current User which greatly simplifies
the process of doing this without having to write complicated scripts. Of
course, all the normal caveats about how adding your users to the
administrators group is tantamount to total destruction of your environment,
apply J.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Monday, December 01, 2008 9:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:381
| | 12/01/2008 3:26 PM |
| So you mean the helpdesk personnel to “manually” add the user account to local Administrators group (snap-in or script) and then “manually” remove the user?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: lunedì 1 dicembre 2008 21.00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
Another situation that might warrant this is giving admin access to helpdesk personnel for a temporary time. Let them elevate their privs.
Al
On Mon, Dec 1, 2008 at 2:53 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
Yes, but...
a) What about users you need "to privilege" after the machine has been built and released to the them?
b) How to have a global view of who is an administrator of what machine?
c) How to assign temp admin privileges when start-up scripts are not a viable solution? (say road warriors that establish 3rd party VPN connection after they loggend onto their systems with cached credentials? This sounds challenging indeed…).
Thanks – Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
I agree, this is something that is done at build time by the machine builder when setting up the machine for the user in question, then it isn't an administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
If putting a group into the local administrators group, by definition you want to grant access to a large number of users to a large number of machines.
If you only want the one user to be added to the local admins group, a script that is used at build time is most likely the least effort you can expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| darren
Posts:329
| | 12/01/2008 3:30 PM |
| Gabriele-
Lots of resources out there about GPP. You might want to check out this
whitepaper I wrote as a starting point:
http://www.gpoguy.com/FAQs/Whitepapers/tabid/63/articleType/ArticleView/arti
cleId/7/Group-Policy-Preferences-Overview-Whitepaper.aspx
You might also want to check out this upcoming training that I just got an
email about today:
http://www.braincore.net/gpptraining.htm
As for narrowing the list, in any situation, regardless of the mechanism,
you have to somehow know in advance who the authorized user to be added is.
You either have some mapping table that you can use or something that is
stored on the machine or in AD that knows who its owner is. In either case,
you dont even have to mess with Logon Locally rights. The GPP feature has
some very granular item-level-targeting that could let you filter based on
an environment variable, LDAP query, etc. The bottom line is that you have
to somehow know who the authorized user is to be added to the group.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 12:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Having everyone who logs onto the computer being an admin is not exactly
something desiderable
L but something to think about, thanks for your
input! (Can you point me to some docs about this GPP?)
Cant that GPP being easily coupled with a kind of Logon on Locally right
or similar so that only the machine owner and the desktop support team are
affected by the Add the Current User GPP.
Thank you very much,
Regards Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: lunedì 1 dicembre 2008 18.39
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
This is actually something that is supported in the new GP Preferences
feature. You can create a per-user preference under Local Users and Groups
that lets you add users to groups. In this case, GP Prefs explicitly
supports a check box called Add the Current User which greatly simplifies
the process of doing this without having to write complicated scripts. Of
course, all the normal caveats about how adding your users to the
administrators group is tantamount to total destruction of your environment,
apply J.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Monday, December 01, 2008 9:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| listmail
Posts:763
| | 12/01/2008 3:34 PM |
| I think Al is describing a "checkout admin" system. It is implemented in
various ways in different companies, I have seen it for DA/EA privs, I have
seen it for local admin privs, I have seen it for Exchange mailbox access
(actually only saw that once because I wrote it).
So this checkout system could be...
1. A password motel where you have a fixed ID with a locked up password and
if someone wants access, they contact the holder of the keys and he/she
gives out the info and then changes the password and lockes that up when
they are done. This is an ok system but doesn't scale.
2. Similar to 1 but automated through a web site.
3. A website you go to that has perms everywhere and then adds your specific
ID to the groups or ACLs as necessary.
Of course someone could build a whole agent/console configuration to do this
but I am not sure the need is all that great. Does the list think otherwise?
If so, what would someone pay to have this functionality? You install an
agent on any machines you want managed (regardless of
domain/forest/whatever) and then you can manage the admin rights on the box
from a central console. Knowing full well that if the console machine were
compromised, all machines managed by it could also be compromised.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 3:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
So you mean the helpdesk personnel to manually add the user account to
local Administrators group (snap-in or script) and then manually remove
the user?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: lunedì 1 dicembre 2008 21.00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
Another situation that might warrant this is giving admin access to helpdesk
personnel for a temporary time. Let them elevate their privs.
Al
On Mon, Dec 1, 2008 at 2:53 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
Yes, but...
a) What about users you need "to privilege" after the machine has been
built and released to the them?
b) How to have a global view of who is an administrator of what
machine?
c) How to assign temp admin privileges when start-up scripts are not a
viable solution? (say road warriors that establish 3rd party VPN connection
after they loggend onto their systems with cached credentials? This sounds
challenging indeed
).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:381
| | 12/01/2008 3:41 PM |
| Manual config and distributed config do not sound very good together!
;-)
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Burns, Clyde R.
Sent: lunedì 1 dicembre 2008 21.08
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Couldn't you add a help desk specific group to the workstation at build
time. Then let the help desk log the " I need local admin access " request
to the change control / ticketing system. Then do the actual permissioning
manually.
How often do you anticipate having to give a user local admin access?
Clyde Burns
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 3:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
Another situation that might warrant this is giving admin access to helpdesk
personnel for a temporary time. Let them elevate their privs.
Al
On Mon, Dec 1, 2008 at 2:53 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
Yes, but...
a) What about users you need "to privilege" after the machine has been
built and released to the them?
b) How to have a global view of who is an administrator of what
machine?
c) How to assign temp admin privileges when start-up scripts are not a
viable solution? (say road warriors that establish 3rd party VPN connection
after they loggend onto their systems with cached credentials? This sounds
challenging indeed
).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
_____
This message is confidential, intended only for the named recipient(s) and
may contain information that is privileged or exempt from disclosure under
applicable law. Any patient health information must be delivered immediately
to intended recipient(s). If you are not the intended recipient(s), you are
notified that the dissemination, distribution or copying of this message is
strictly prohibited. If you receive this message in error, or are not the
named recipient(s), please notify the sender at either the e-mail address or
telephone number above and discard this e-mail. Thank you.
| | | |
| listmail
Posts:763
| | 12/01/2008 3:45 PM |
| A. I wouldn't call this the normal running situation. If you didn't give
admin rights up front, you probably shouldn't be wanting to do it later. If
it is a case of we deployed all these and we meant to do it but didn't, then
I see that as a one off scriptable event. Anyone you give admin rights to
should be someone you wouldn't be terribly worried about giving admin rights
to permanently. You give me admin rights to a machine for a little bit, I
can very likely make it permanent whether you want that or not.
B. Yeah this would be nice. I actually visualized something that leveraged
ADAM to do this but had a couple of problems with it... The first being that
ADAM probably won't scale to allow for tens or hundreds of thousands of
replicas and the second being that MSFT was silly and made it so ADAM can no
longer be loaded on clients; only servers. OpenLDAP may be the answer here.
C. Now this is a whole other thing from what I believe the original issue
was. But again, I don't really fully believe in temp admin privs over
machines. How do you stop someone from giving themselves the rights
permanently? Now this works great for things like say access to mailboxes
where you can turn on and off the right easily and getting the right doesn't
give permission to side step the security mechanism. Making someone an admin
on a machine is giving them the biggest gun they can have for that machine.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Yes, but...
a) What about users you need to privilege after the machine has been
built and released to the them?
b) How to have a global view of who is an administrator of what
machine?
c) How to assign temp admin privileges when start-up scripts are not a
viable solution? (say road warriors that establish 3rd party VPN connection
after they loggend onto their systems with cached credentials? This sounds
challenging indeed
).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| adwulf
Posts:73
| | 12/01/2008 4:01 PM |
| 2008/12/1 joe <listmail@joeware.net>:
> I agree, this is something that is done at build time by the machine builder
> when setting up the machine for the user in question, then it isn't an
> administrative burden; it is simply part of the build process.
>
> joe
>
Delegate!
If workstations belong to a specific SW Dev team, add their AD group
to the local admins group at build time. Or add a group for "SW Dev
Team Managers".
This may mean that people other than Joe Bloggs get admin privs, but
it also means that if Tom, Dick or Sally need admin privs on that
machine, they only need speak to somebody in that SW Dev Team, or a
manager from their division.
You're giving them the ability to decide who should be admin on their
(the SW Dev team's) workstations, so make sure that you get them to
sign off on taking the responsibility that comes with that power.
You may want to run a (remotely executed) script to do something like:
net localgroup administrators >>
\\fileserver01\adminigroups$\%COMPUTERNAME%_%DATE%_Admin.txt
- perhaps by using psexec.exe from sysinternals/Technet.
So you can keep track of what's going on. This won't scale to
thousands of computers.
If you want to risk using locally scheduled task to report on this, you can try:
=BEGIN admincheck.cmd
REM First we'll delete the old file
del c:\control\admins.old.txt
REM now let's take the existing admin group dump and put it in the .old file
move c:\control\admins.txt c:\control\admins.old.txt
REM and then we take a look at what's in the local admins group now
net localgroup administrators > c:\control\admins.txt
REM now for the interesting part
REM - we're going to compare what was in the admins group with what's in it now
ECHO n|COMP "c:\control\admins.txt" "C:\control\admins.old.txt" | FIND
"Files compare OK" > nul
IF ERRORLEVEL 1 GOTO PROBLEM
IF ERRORLEVEL 0 GOTO END
 ROBLEM
REM uh-oh, somebody's been added to, or removed from the admins group
- better tell somebody about this!
blat - -log admincheck.log -to helpdesk@domain.test -server
smtp.domain.test -f security@domain.test -subject "Security Alert! -
admins changed on %computername%" -body "please review the attached
files for differences in the membership of the local administrators
group. If the workstation owner cannot be contacted, and no
authorised change can be found, you MUST raise a ticket for this as a
security breach." -embed c:\control\admins.old.txt -embed
c:\control\admins.txt -q
REM we could add other things in here, like using eventcreate.exe, or
running some other code to generate a support ticket or maybe sending
an SNMP trap.
:END
ECHO Admins checked at %time% on %date% >> admincheck.log
REM nothing to see here, move along please
Exit
=END admincheck.cmd
The above depends on:
i) The users with admin privs not using them to disable/edit the
script/sched task
ii) The presence of blat.exe and an accessible SMTP server
You would probably be better off finding out EXACTLY which permissions
these devs need and creating a local group for SW-Devs with those
permissions. Perhaps "Power User" + "Network Configuration" + "Remote
Desktop Users" + "Debugger Users" + any other file/registry ACL
hardening or softening + maybe the all-powerful load/unload driver
priv + Logon as a service (if that's what the app they're developing
does).
--
AdamT
"Surround yourself with the best people you can find, delegate
authority, and don't interfere" - Ronald Reagan
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| darren
Posts:329
| | 12/01/2008 4:07 PM |
| Right. See my later email. If you are in an environment of one user, one
computer, then this mechanism is just fine. However, if you are in an
environment of multiple users logging into a computer, then you still need
some mapping of "authorized user" to computer, external from this. Even if
you were to use Interactive, you have the same problem, though I suppose
with Interactive, you have more flexibility in terms of how you implement
the mapping.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Monday, December 01, 2008 12:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
No certain if I see what the benefit would be unless you can say, this and
only this person and not anyone who logs on which isn't what I am getting
out of what you are saying. Or am I misunderstanding.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Monday, December 01, 2008 2:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Yep, basically, except it is explicitly adding the user id rather than the
Interactive principal.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Monday, December 01, 2008 11:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
So it is like adding interactive to the admins group... Yeah?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Monday, December 01, 2008 2:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Al-
Nope. This is a per-user policy so it resolves to the currently logged on
user at logon time. Where it gets tricky is when you have machines used by
multiple users, since you may not want to add each user to the local group.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
Doesn't that require owner/manager definition in AD on the computer object?
Seems like a long way to go to get what you want since you'd have to forever
be updating that information as machines come and go.
On Mon, Dec 1, 2008 at 12:38 PM, Darren Mar-Elia <darren@sdmsoftware.com>
wrote:
This is actually something that is supported in the new GP Preferences
feature. You can create a per-user preference under "Local Users and Groups"
that lets you add users to groups. In this case, GP Prefs explicitly
supports a check box called "Add the Current User" which greatly simplifies
the process of doing this without having to write complicated scripts. Of
course, all the normal caveats about how adding your users to the
administrators group is tantamount to total destruction of your environment,
apply J.
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Monday, December 01, 2008 9:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|