| Author | Messages | |
listmail
Posts:763
 | | 12/01/2008 4:13 PM |
| Good god....
DO NOT USE PSEXEC for this. Horrible overkill. PSEXEC is a nice tool and
all but Mark forget one major thing, the ability to set up a static service
on the clients so every time you run it it doesn't have to install the
service, start the service, copy the exe over, run it, stop the service,
uninstall the service. Couldn't have been more fat for so many things that
can be done remotely through normal APIs.
To do something so simple as looking at or modifying the remote admins group
on a remote machine use lg from
http://www.joeware.net/freetools/tools/lg/index.htm
Then it is as simple as
lg \\machinename\administrators
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Adam Thompson
Sent: Monday, December 01, 2008 3:48 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
2008/12/1 joe <listmail@joeware.net>:
> I agree, this is something that is done at build time by the machine
> builder when setting up the machine for the user in question, then it
> isn't an administrative burden; it is simply part of the build process.
>
> joe
>
Delegate!
If workstations belong to a specific SW Dev team, add their AD group to the
local admins group at build time. Or add a group for "SW Dev Team
Managers".
This may mean that people other than Joe Bloggs get admin privs, but it also
means that if Tom, Dick or Sally need admin privs on that machine, they only
need speak to somebody in that SW Dev Team, or a manager from their
division.
You're giving them the ability to decide who should be admin on their (the
SW Dev team's) workstations, so make sure that you get them to sign off on
taking the responsibility that comes with that power.
You may want to run a (remotely executed) script to do something like:
net localgroup administrators >>
\\fileserver01\adminigroups$\%COMPUTERNAME%_%DATE%_Admin.txt
- perhaps by using psexec.exe from sysinternals/Technet.
So you can keep track of what's going on. This won't scale to thousands of
computers.
If you want to risk using locally scheduled task to report on this, you can
try:
=BEGIN admincheck.cmd
REM First we'll delete the old file
del c:\control\admins.old.txt
REM now let's take the existing admin group dump and put it in the .old file
move c:\control\admins.txt c:\control\admins.old.txt REM and then we take a
look at what's in the local admins group now net localgroup administrators >
c:\control\admins.txt
REM now for the interesting part
REM - we're going to compare what was in the admins group with what's in it
now ECHO n|COMP "c:\control\admins.txt" "C:\control\admins.old.txt" | FIND
"Files compare OK" > nul
IF ERRORLEVEL 1 GOTO PROBLEM
IF ERRORLEVEL 0 GOTO END
 ROBLEM
REM uh-oh, somebody's been added to, or removed from the admins group
- better tell somebody about this!
blat - -log admincheck.log -to helpdesk@domain.test -server smtp.domain.test
-f security@domain.test -subject "Security Alert! - admins changed on
%computername%" -body "please review the attached files for differences in
the membership of the local administrators group. If the workstation owner
cannot be contacted, and no authorised change can be found, you MUST raise a
ticket for this as a security breach." -embed c:\control\admins.old.txt
-embed c:\control\admins.txt -q REM we could add other things in here, like
using eventcreate.exe, or running some other code to generate a support
ticket or maybe sending an SNMP trap.
:END
ECHO Admins checked at %time% on %date% >> admincheck.log REM nothing to see
here, move along please
Exit
=END admincheck.cmd
The above depends on:
i) The users with admin privs not using them to disable/edit the
script/sched task
ii) The presence of blat.exe and an accessible SMTP server
You would probably be better off finding out EXACTLY which permissions these
devs need and creating a local group for SW-Devs with those permissions.
Perhaps "Power User" + "Network Configuration" + "Remote Desktop Users" +
"Debugger Users" + any other file/registry ACL hardening or softening +
maybe the all-powerful load/unload driver priv + Logon as a service (if
that's what the app they're developing does).
--
AdamT
"Surround yourself with the best people you can find, delegate authority,
and don't interfere" - Ronald Reagan
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| amulnick
Posts:162
| | 12/01/2008 4:17 PM |
| | No, not that. I mean that the helpdesk wouldn't have rights to the machine
unless they check out the keys and get added. That has the danger of not
being able to access the machine, but that's a separate issue. The tool I'm
thinking of will periodically update the local admin password. The helpdesk
has to sign out the keys and it's good for a certain period of time.
Just have to get my head to remember the products.
On Mon, Dec 1, 2008 at 3:11 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
> So you mean the helpdesk personnel to "manually" add the user account to
> local Administrators group (snap-in or script) and then "manually" remove
> the user?
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
> *Sent:* lunedì 1 dicembre 2008 21.00
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] How to manage users into machine local admins
> group.
>
>
>
> Another situation that might warrant this is giving admin access to
> helpdesk personnel for a temporary time. Let them elevate their privs.
>
>
>
> Al
>
> On Mon, Dec 1, 2008 at 2:53 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
>
> Yes, but...
>
>
>
> a) What about users you need "to privilege" after the machine has
> been built and released to the them?
>
> b) How to have a global view of who is an administrator of what
> machine?
>
> c) How to assign temp admin privileges when start-up scripts are not
> a viable solution? (say road warriors that establish 3rd party VPN
> connection after they loggend onto their systems with cached credentials?
> This sounds challenging indeed…).
>
>
>
> Thanks – Gabriele.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *joe
> *Sent:* lunedì 1 dicembre 2008 18.17
>
>
> *To:* ActiveDir@mail.activedir.org
>
> *Subject:* RE: [ActiveDir] How to manage users into machine local admins
> group.
>
>
>
> I agree, this is something that is done at build time by the machine
> builder when setting up the machine for the user in question, then it isn't
> an administrative burden; it is simply part of the build process.
>
>
>
> joe
>
>
>
> --
>
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
>
>
>
> ------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
> *Sent:* Monday, December 01, 2008 11:42 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] How to manage users into machine local admins
> group.
>
> If putting a group into the local administrators group, by definition you
> want to grant access to a large number of users to a large number of
> machines.
>
> If you only want the one user to be added to the local admins group, a
> script that is used at build time is most likely the least effort you can
> expend and still achieve your goal.
>
>
>
> Just adding them at build time works too.
>
>
>
> Am I missing something in your requirements?
>
>
>
>
>
> On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
>
> I think it's a long debated story, but what's the best
> practice/approach/tool to empower certain users (such as swdevs) to be
> admins of their own machines?
>
> Manually putting a user into the local administrators group is a burden
> (also startup scripts does not work in many conditions), also creating
> an AD security group that is member of local Administrators group of
> certain computers and add users to that AD group is manageable but an
> "admin user" is granted admin privilege to all those certain machines.
>
> Thanks - Gabriele.
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
>
| | | |
| adwulf
Posts:73
| | 12/01/2008 5:26 PM |
| 2008/12/1 joe <listmail@joeware.net>:
> Good god....
>
> DO NOT USE PSEXEC for this. Horrible overkill. PSEXEC is a nice tool and
> all but Mark forget one major thing, the ability to set up a static service
[snip]
>
> To do something so simple as looking at or modifying the remote admins group
> on a remote machine use lg from
> http://www.joeware.net/freetools/tools/lg/index.htm
Top stuff.... I'd never heard of lg before now.
Thanks for the tool... if only you had the marketing muscle of
Microsoft, I'd have been using this for years now (much like adfind,
I suppose).
--
AdamT
"At times one remains faithful to a cause only because its opponents
do not cease to be insipid." - Nietzsche
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| listmail
Posts:763
| | 12/02/2008 2:52 AM |
| If only I had their marketing budget... ;o)
LG is actually one of the first tool I made available to people to download
back before I had joeware.net. Prior to that it was lgenum and lgmod (sort
of an lgfind/lgmod combo) which I wrote all the way back in about 1996
because Microsoft forgot to give basic builtin ability to allow you to do
remote local group management from the command line. Hard to believe they
have still forgotten to do that.
Just to remind people though... They can check out all of the stuff I offer
for free at
http://www.joeware.net/freetools/index.htm
Just scan through the quick descriptions.
Maybe I should have a blog entry of the week or month that gives a basic
rundown of some random tool from the website. 
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Adam Thompson
Sent: Monday, December 01, 2008 5:23 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
2008/12/1 joe <listmail@joeware.net>:
> Good god....
>
> DO NOT USE PSEXEC for this. Horrible overkill. PSEXEC is a nice tool
> and all but Mark forget one major thing, the ability to set up a
> static service
[snip]
>
> To do something so simple as looking at or modifying the remote admins
> group on a remote machine use lg from
> http://www.joeware.net/freetools/tools/lg/index.htm
Top stuff.... I'd never heard of lg before now.
Thanks for the tool... if only you had the marketing muscle of Microsoft,
I'd have been using this for years now (much like adfind, I suppose).
--
AdamT
"At times one remains faithful to a cause only because its opponents do not
cease to be insipid." - Nietzsche
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| danholme
Posts:164
| | 12/02/2008 4:13 PM |
| Sorry coming in very late on this thread, but
1) Group Policy Preferences provide the best way to add individual users to their individual local Admins group, if I understand the requirement of the original post. Check out GPP's group management capability... it's really quite fantastic.
2) Steve Riley's book has a tool that does what was discussed: manages passwords for local administrators and "checks them out" so to speak. It's a freebie alternative to Liebermann and other such third-party tools, that do the same thing.
Dan
Dan Holme
Director of Training & Consulting
Intelliem * www.intelliem.com
dan.holme@intelliem.com
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Monday, December 01, 2008 9:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
If only I had their marketing budget... ;o)
LG is actually one of the first tool I made available to people to download
back before I had joeware.net. Prior to that it was lgenum and lgmod (sort
of an lgfind/lgmod combo) which I wrote all the way back in about 1996
because Microsoft forgot to give basic builtin ability to allow you to do
remote local group management from the command line. Hard to believe they
have still forgotten to do that.
Just to remind people though... They can check out all of the stuff I offer
for free at
http://www.joeware.net/freetools/index.htm
Just scan through the quick descriptions.
Maybe I should have a blog entry of the week or month that gives a basic
rundown of some random tool from the website.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Adam Thompson
Sent: Monday, December 01, 2008 5:23 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
2008/12/1 joe <listmail@joeware.net>:
> Good god....
>
> DO NOT USE PSEXEC for this. Horrible overkill. PSEXEC is a nice tool
> and all but Mark forget one major thing, the ability to set up a
> static service
[snip]
>
> To do something so simple as looking at or modifying the remote admins
> group on a remote machine use lg from
> http://www.joeware.net/freetools/tools/lg/index.htm
Top stuff.... I'd never heard of lg before now.
Thanks for the tool... if only you had the marketing muscle of Microsoft,
I'd have been using this for years now (much like adfind, I suppose).
--
AdamT
"At times one remains faithful to a cause only because its opponents do not
cease to be insipid." - Nietzsche
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:381
| | 12/02/2008 8:59 PM |
| Option 3 would be great! J
Anyway I recall recently there was a discussion on this list about how to
manage AD groups to grant access to resources and someone stated (dont
recall if it were you) that the best approach - also to avoid the SID bloat
- was to use machine local security groups for resource permission and that
distributed configuration was centrally done with a database-driven
management application who had full privileges on any server.
Well, it would be great to have a similar application to 1:1 manage and
control localadmins and workstations they are admins over, Administrators
is just a machine local security group like those someone suggested to be
used for ACLing resource objects, no??
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 21.29
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I think Al is describing a "checkout admin" system. It is implemented in
various ways in different companies, I have seen it for DA/EA privs, I have
seen it for local admin privs, I have seen it for Exchange mailbox access
(actually only saw that once because I wrote it).
So this checkout system could be...
1. A password motel where you have a fixed ID with a locked up password and
if someone wants access, they contact the holder of the keys and he/she
gives out the info and then changes the password and lockes that up when
they are done. This is an ok system but doesn't scale.
2. Similar to 1 but automated through a web site.
3. A website you go to that has perms everywhere and then adds your specific
ID to the groups or ACLs as necessary.
Of course someone could build a whole agent/console configuration to do this
but I am not sure the need is all that great. Does the list think otherwise?
If so, what would someone pay to have this functionality? You install an
agent on any machines you want managed (regardless of
domain/forest/whatever) and then you can manage the admin rights on the box
from a central console. Knowing full well that if the console machine were
compromised, all machines managed by it could also be compromised.
joe
--
O'Reilly Active Directory Third Edition -
<http://www.joeware.net/win/ad3e.htm> http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 3:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
So you mean the helpdesk personnel to manually add the user account to
local Administrators group (snap-in or script) and then manually remove
the user?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: lunedì 1 dicembre 2008 21.00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
Another situation that might warrant this is giving admin access to helpdesk
personnel for a temporary time. Let them elevate their privs.
Al
On Mon, Dec 1, 2008 at 2:53 PM, Gabriele Scolaro < <mailto:gabro@gabro.net>
gabro@gabro.net> wrote:
Yes, but...
a) What about users you need "to privilege" after the machine has been
built and released to the them?
b) How to have a global view of who is an administrator of what
machine?
c) How to assign temp admin privileges when start-up scripts are not a
viable solution? (say road warriors that establish 3rd party VPN connection
after they loggend onto their systems with cached credentials? This sounds
challenging indeed
).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
<http://www.joeware.net/win/ad3e.htm> http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, < <mailto:gabro@gabro.net> gabro@gabro.net>
wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : <http://www.activedir.org/List.aspx>
http://www.activedir.org/List.aspx
List FAQ : <http://www.activedir.org/ListFAQ.aspx>
http://www.activedir.org/ListFAQ.aspx
List archive: <http://www.activedir.org/ma/default.aspx>
http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:381
| | 12/02/2008 9:30 PM |
| A. No, its not common. But it may happen the business requires some
users to be empowered with Admin privileges L at any time so after a machine
has been built and assigned to the user.
B. Read other email. If there are tools for resource permission central
management, why not Local Admins? J Of course managing laptop and desktop
because they might be off-line could be something challenging (thats why a
GPO would be great!)
C. Temp Admin is stupid, period. But its a compromise with the user
community when you come from everybodys admin situation and you start to
revoke admin privs to all users (Hey Joe, I will revoke your privs
BUT I
will re-enable you with temp admin privs if you need them! J.
Also there are cases that working as a non-admin in Windows XP is
problematic (es: mobile users when they are out of the company and need to
install a printer driver).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 21.35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
A. I wouldn't call this the normal running situation. If you didn't give
admin rights up front, you probably shouldn't be wanting to do it later. If
it is a case of we deployed all these and we meant to do it but didn't, then
I see that as a one off scriptable event. Anyone you give admin rights to
should be someone you wouldn't be terribly worried about giving admin rights
to permanently. You give me admin rights to a machine for a little bit, I
can very likely make it permanent whether you want that or not.
B. Yeah this would be nice. I actually visualized something that leveraged
ADAM to do this but had a couple of problems with it... The first being that
ADAM probably won't scale to allow for tens or hundreds of thousands of
replicas and the second being that MSFT was silly and made it so ADAM can no
longer be loaded on clients; only servers. OpenLDAP may be the answer here.
C. Now this is a whole other thing from what I believe the original issue
was. But again, I don't really fully believe in temp admin privs over
machines. How do you stop someone from giving themselves the rights
permanently? Now this works great for things like say access to mailboxes
where you can turn on and off the right easily and getting the right doesn't
give permission to side step the security mechanism. Making someone an admin
on a machine is giving them the biggest gun they can have for that machine.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Yes, but...
a) What about users you need to privilege after the machine has been
built and released to the them?
b) How to have a global view of who is an administrator of what
machine?
c) How to assign temp admin privileges when start-up scripts are not a
viable solution? (say road warriors that establish 3rd party VPN connection
after they loggend onto their systems with cached credentials? This sounds
challenging indeed
).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:381
| | 12/03/2008 5:29 PM |
| a. Youre right, it sparingly happens
but unfortunately it happens
and regional admins are actually doing that manually, but what makes me
nervous is the lack of global visibility of users being admins of their
workstations. I cant rely on a manually handled list
.
b. Sob.. I see that app does not exist
c. Fully agree, of course. But the choice here is (a) give permanent
admin privs or (b) just allow a legitimate priv escalation if/when required
by the user. I prefer the second because it might never happen or if it
happens the user has to open a ticket, give justifications and that
temp-admin assigned priv is tracked, if then the user makes her/himself
privileged for ever then its the user who is breaking the rules/policies
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: mercoledì 3 dicembre 2008 7.20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
a. I would expect this to be such a infrequent thing that pingng the local
site admins to do the work to add the person to the admin group shouldn't be
all that burdensome. It shouldn't be something being done by the DA's for
example. This is way below what most DAs in even medium sized orgs should be
worrying about.
b. Yep why not... Someone just needs to sit down and write it. Maybe someone
will do it for free but more likely it will require someone believing there
is some money to be had. This is a heavy duty scaleable app for anything but
a small company.
c. Revoking them but allowing them to have admin some times is self
defeating, seriously. You give me admin for a little bit, it is likely I
will have it forever after whether you want me to or not. Once you lock a
machine down, you can't give that access back or else you have to do a
complete audit (but better yet a complete rebuild) to get faith in that
machine again. If you lock a machine down in the first place, it is assumed
there is a good reason for it, not just because...
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, December 02, 2008 9:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
A. No, its not common. But it may happen the business requires some
users to be empowered with Admin privileges L at any time so after a machine
has been built and assigned to the user.
B. Read other email. If there are tools for resource permission central
management, why not Local Admins? J Of course managing laptop and desktop
because they might be off-line could be something challenging (thats why a
GPO would be great!)
C. Temp Admin is stupid, period. But its a compromise with the user
community when you come from everybodys admin situation and you start to
revoke admin privs to all users (Hey Joe, I will revoke your privs
BUT I
will re-enable you with temp admin privs if you need them! J.
Also there are cases that working as a non-admin in Windows XP is
problematic (es: mobile users when they are out of the company and need to
install a printer driver).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 21.35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
A. I wouldn't call this the normal running situation. If you didn't give
admin rights up front, you probably shouldn't be wanting to do it later. If
it is a case of we deployed all these and we meant to do it but didn't, then
I see that as a one off scriptable event. Anyone you give admin rights to
should be someone you wouldn't be terribly worried about giving admin rights
to permanently. You give me admin rights to a machine for a little bit, I
can very likely make it permanent whether you want that or not.
B. Yeah this would be nice. I actually visualized something that leveraged
ADAM to do this but had a couple of problems with it... The first being that
ADAM probably won't scale to allow for tens or hundreds of thousands of
replicas and the second being that MSFT was silly and made it so ADAM can no
longer be loaded on clients; only servers. OpenLDAP may be the answer here.
C. Now this is a whole other thing from what I believe the original issue
was. But again, I don't really fully believe in temp admin privs over
machines. How do you stop someone from giving themselves the rights
permanently? Now this works great for things like say access to mailboxes
where you can turn on and off the right easily and getting the right doesn't
give permission to side step the security mechanism. Making someone an admin
on a machine is giving them the biggest gun they can have for that machine.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Yes, but...
a) What about users you need to privilege after the machine has been
built and released to the them?
b) How to have a global view of who is an administrator of what
machine?
c) How to assign temp admin privileges when start-up scripts are not a
viable solution? (say road warriors that establish 3rd party VPN connection
after they loggend onto their systems with cached credentials? This sounds
challenging indeed
).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:381
| | 12/03/2008 5:58 PM |
| 1) Yes, you got it right and I will check GPP out for sure!
2) Is this the book? http://www.amazon.com/dp/0321336437
Is this the tool you're talking about?
http://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-bo
ok.aspx
You cited 3rd-party tools like Lieberman's Random Password Manager to manage
different administrator passwords across enterprise servers and
workstations, AFAYK are there other tools that also centrally manage local
Administrators group membership of workstations?
(I know I'm stubborn as a mule and hard to surrender!LOL!)
Thanks for your input - Gabriele.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Dan Holme
> Sent: martedì 2 dicembre 2008 22.08
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] How to manage users into machine local admins
> group.
>
> Sorry coming in very late on this thread, but
>
> 1) Group Policy Preferences provide the best way to add individual
> users to their individual local Admins group, if I understand the
> requirement of the original post. Check out GPP's group management
> capability... it's really quite fantastic.
>
> 2) Steve Riley's book has a tool that does what was discussed: manages
> passwords for local administrators and "checks them out" so to speak.
> It's a freebie alternative to Liebermann and other such third-party
> tools, that do the same thing.
>
> Dan
> Dan Holme
> Director of Training & Consulting
> Intelliem * www.intelliem.com
> dan.holme@intelliem.com
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of joe
> Sent: Monday, December 01, 2008 9:48 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] How to manage users into machine local admins
> group.
>
> If only I had their marketing budget... ;o)
>
> LG is actually one of the first tool I made available to people to
> download
> back before I had joeware.net. Prior to that it was lgenum and lgmod
> (sort
> of an lgfind/lgmod combo) which I wrote all the way back in about 1996
> because Microsoft forgot to give basic builtin ability to allow you to
> do
> remote local group management from the command line. Hard to believe
> they
> have still forgotten to do that.
>
> Just to remind people though... They can check out all of the stuff I
> offer
> for free at
>
> http://www.joeware.net/freetools/index.htm
>
> Just scan through the quick descriptions.
>
> Maybe I should have a blog entry of the week or month that gives a
> basic
> rundown of some random tool from the website.
>
>
> joe
>
>
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Adam Thompson
> Sent: Monday, December 01, 2008 5:23 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] How to manage users into machine local admins
> group.
>
> 2008/12/1 joe <listmail@joeware.net>:
> > Good god....
> >
> > DO NOT USE PSEXEC for this. Horrible overkill. PSEXEC is a nice tool
> > and all but Mark forget one major thing, the ability to set up a
> > static service
>
> [snip]
>
> >
> > To do something so simple as looking at or modifying the remote
> admins
> > group on a remote machine use lg from
> > http://www.joeware.net/freetools/tools/lg/index.htm
>
> Top stuff.... I'd never heard of lg before now.
>
> Thanks for the tool... if only you had the marketing muscle of
> Microsoft,
> I'd have been using this for years now (much like adfind, I suppose).
>
> --
> AdamT
> "At times one remains faithful to a cause only because its opponents do
> not
> cease to be insipid." - Nietzsche
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| sslists
Posts:44
| | 12/03/2008 6:00 PM |
| I just went through this. I created a powershell script that handles most of this centrally on a single DC. My longer goal is to make a single script that does
A) Creates domain group (i have this done)
B) Adds to the local machines Administrators group (I have this done)
C) Adds the 'domain' user to the domain group so they have access (to-do)
D) Additional scripts to update / remove / replace users in the group. (to-do)
Powershell makes this pretty easy. From your description, you are thinking through your requirementrs, but nothing on the market that does what you want. We chose the 'domain' group added to the local machine centralizes administration to a single DC. If you have a separate forest which the user accounts, the 'groups' in the resource domain 'Domain local' so I could add from our 'user' domain.
Hope that makes sense.
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
----- Original Message -----
From: Gabriele Scolaro
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 03, 2008 5:26 PM
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
a. You're right, it sparingly happens. but unfortunately it happens and regional admins are actually doing that manually, but what makes me nervous is the lack of global visibility of users being admins of their workstations. I can't rely on a manually handled list..
b. Sob.. I see that app does not exist.
c. Fully agree, of course. But the choice here is (a) give permanent admin privs or (b) just allow a legitimate priv escalation if/when required by the user. I prefer the second because it might never happen or if it happens the user has to open a ticket, give justifications and that temp-admin assigned priv is tracked, if then the user makes her/himself privileged for ever then it's the user who is breaking the rules/policies
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: mercoledì 3 dicembre 2008 7.20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
a. I would expect this to be such a infrequent thing that pingng the local site admins to do the work to add the person to the admin group shouldn't be all that burdensome. It shouldn't be something being done by the DA's for example. This is way below what most DAs in even medium sized orgs should be worrying about.
b. Yep why not... Someone just needs to sit down and write it. Maybe someone will do it for free but more likely it will require someone believing there is some money to be had. This is a heavy duty scaleable app for anything but a small company.
c. Revoking them but allowing them to have admin some times is self defeating, seriously. You give me admin for a little bit, it is likely I will have it forever after whether you want me to or not. Once you lock a machine down, you can't give that access back or else you have to do a complete audit (but better yet a complete rebuild) to get faith in that machine again. If you lock a machine down in the first place, it is assumed there is a good reason for it, not just because...
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
------------------------------------------------------------------------------
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, December 02, 2008 9:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
A. No, it's not common. But it may happen the business requires some users to be empowered with Admin privileges L at any time so after a machine has been built and assigned to the user.
B. Read other email. If there are tools for resource permission central management, why not Local Admins? J Of course managing laptop and desktop because they might be off-line could be something challenging (that's why a GPO would be great!)
C. Temp Admin is stupid, period. But it's a "compromise" with the user community when you come from "everybody's admin" situation and you start to revoke admin privs to all users ("Hey Joe, I will revoke your privs. BUT I will re-enable you with temp admin privs if you need them!" J.
Also there are cases that working as a non-admin in Windows XP is problematic (es: mobile users when they are out of the company and need to install a printer driver).
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 21.35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
A. I wouldn't call this the normal running situation. If you didn't give admin rights up front, you probably shouldn't be wanting to do it later. If it is a case of we deployed all these and we meant to do it but didn't, then I see that as a one off scriptable event. Anyone you give admin rights to should be someone you wouldn't be terribly worried about giving admin rights to permanently. You give me admin rights to a machine for a little bit, I can very likely make it permanent whether you want that or not.
B. Yeah this would be nice. I actually visualized something that leveraged ADAM to do this but had a couple of problems with it... The first being that ADAM probably won't scale to allow for tens or hundreds of thousands of replicas and the second being that MSFT was silly and made it so ADAM can no longer be loaded on clients; only servers. OpenLDAP may be the answer here.
C. Now this is a whole other thing from what I believe the original issue was. But again, I don't really fully believe in temp admin privs over machines. How do you stop someone from giving themselves the rights permanently? Now this works great for things like say access to mailboxes where you can turn on and off the right easily and getting the right doesn't give permission to side step the security mechanism. Making someone an admin on a machine is giving them the biggest gun they can have for that machine.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
------------------------------------------------------------------------------
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
Yes, but...
a) What about users you need "to privilege" after the machine has been built and released to the them?
b) How to have a global view of who is an administrator of what machine?
c) How to assign temp admin privileges when start-up scripts are not a viable solution? (say road warriors that establish 3rd party VPN connection after they loggend onto their systems with cached credentials? This sounds challenging indeed.).
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
I agree, this is something that is done at build time by the machine builder when setting up the machine for the user in question, then it isn't an administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
------------------------------------------------------------------------------
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
If putting a group into the local administrators group, by definition you want to grant access to a large number of users to a large number of machines.
If you only want the one user to be added to the local admins group, a script that is used at build time is most likely the least effort you can expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:381
| | 12/03/2008 6:08 PM |
| Steve, if I understood well, thats what we are actually doing by using
Restricted Groups GPO: a domain group is added to the local Administrators
group of some machines and then we add users to the domain group.
The problem is that each admin-user is granted with admin privilege on all
those machines and not on his/her machine only.
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield
Sent: mercoledì 3 dicembre 2008 23.55
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
I just went through this. I created a powershell script that handles most
of this centrally on a single DC. My longer goal is to make a single script
that does
A) Creates domain group (i have this done)
B) Adds to the local machines Administrators group (I have this done)
C) Adds the 'domain' user to the domain group so they have access (to-do)
D) Additional scripts to update / remove / replace users in the group.
(to-do)
Powershell makes this pretty easy. From your description, you are thinking
through your requirementrs, but nothing on the market that does what you
want. We chose the 'domain' group added to the local machine centralizes
administration to a single DC. If you have a separate forest which the user
accounts, the 'groups' in the resource domain 'Domain local' so I could add
from our 'user' domain.
Hope that makes sense.
Thank you,
Steve Schofield
Windows Server MVP - IIS
<http://weblogs.asp.net/steveschofield>
http://weblogs.asp.net/steveschofield
<http://www.IISLogs.com> http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
----- Original Message -----
From: Gabriele Scolaro <mailto:gabro@gabro.net>
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 03, 2008 5:26 PM
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
a. Youre right, it sparingly happens
but unfortunately it happens
and regional admins are actually doing that manually, but what makes me
nervous is the lack of global visibility of users being admins of their
workstations. I cant rely on a manually handled list
.
b. Sob.. I see that app does not exist
c. Fully agree, of course. But the choice here is (a) give permanent
admin privs or (b) just allow a legitimate priv escalation if/when required
by the user. I prefer the second because it might never happen or if it
happens the user has to open a ticket, give justifications and that
temp-admin assigned priv is tracked, if then the user makes her/himself
privileged for ever then its the user who is breaking the rules/policies
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: mercoledì 3 dicembre 2008 7.20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
a. I would expect this to be such a infrequent thing that pingng the local
site admins to do the work to add the person to the admin group shouldn't be
all that burdensome. It shouldn't be something being done by the DA's for
example. This is way below what most DAs in even medium sized orgs should be
worrying about.
b. Yep why not... Someone just needs to sit down and write it. Maybe someone
will do it for free but more likely it will require someone believing there
is some money to be had. This is a heavy duty scaleable app for anything but
a small company.
c. Revoking them but allowing them to have admin some times is self
defeating, seriously. You give me admin for a little bit, it is likely I
will have it forever after whether you want me to or not. Once you lock a
machine down, you can't give that access back or else you have to do a
complete audit (but better yet a complete rebuild) to get faith in that
machine again. If you lock a machine down in the first place, it is assumed
there is a good reason for it, not just because...
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, December 02, 2008 9:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
A. No, its not common. But it may happen the business requires some
users to be empowered with Admin privileges L at any time so after a machine
has been built and assigned to the user.
B. Read other email. If there are tools for resource permission central
management, why not Local Admins? J Of course managing laptop and desktop
because they might be off-line could be something challenging (thats why a
GPO would be great!)
C. Temp Admin is stupid, period. But its a compromise with the user
community when you come from everybodys admin situation and you start to
revoke admin privs to all users (Hey Joe, I will revoke your privs
BUT I
will re-enable you with temp admin privs if you need them! J.
Also there are cases that working as a non-admin in Windows XP is
problematic (es: mobile users when they are out of the company and need to
install a printer driver).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 21.35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
A. I wouldn't call this the normal running situation. If you didn't give
admin rights up front, you probably shouldn't be wanting to do it later. If
it is a case of we deployed all these and we meant to do it but didn't, then
I see that as a one off scriptable event. Anyone you give admin rights to
should be someone you wouldn't be terribly worried about giving admin rights
to permanently. You give me admin rights to a machine for a little bit, I
can very likely make it permanent whether you want that or not.
B. Yeah this would be nice. I actually visualized something that leveraged
ADAM to do this but had a couple of problems with it... The first being that
ADAM probably won't scale to allow for tens or hundreds of thousands of
replicas and the second being that MSFT was silly and made it so ADAM can no
longer be loaded on clients; only servers. OpenLDAP may be the answer here.
C. Now this is a whole other thing from what I believe the original issue
was. But again, I don't really fully believe in temp admin privs over
machines. How do you stop someone from giving themselves the rights
permanently? Now this works great for things like say access to mailboxes
where you can turn on and off the right easily and getting the right doesn't
give permission to side step the security mechanism. Making someone an admin
on a machine is giving them the biggest gun they can have for that machine.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Yes, but...
a) What about users you need to privilege after the machine has been
built and released to the them?
b) How to have a global view of who is an administrator of what
machine?
c) How to assign temp admin privileges when start-up scripts are not a
viable solution? (say road warriors that establish 3rd party VPN connection
after they loggend onto their systems with cached credentials? This sounds
challenging indeed
).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| sslists
Posts:44
| | 12/03/2008 7:15 PM |
| Close, but we aren't using restricted admin setting in GPO. That would grant everyone access to everyone's machine, defeating the purpose of selected access. We have 1 domain local group per machine in AD, then add this group to the local machine. When we grant user access, we add them to the appropriate domain local group that is on the local machines administrators group. Hope you follow that...
Here is an example, a group named 'ADM-Webserver1' (Domain Local Group) which is part of the local administrators group on WebServer1. When a person needs access to WebServer1, we add them to ADM-WebServer1. This should be easily scriptable.
I'm no super AD guru like Joe or Brian, but what we did achieved our goals.
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
----- Original Message -----
From: Gabriele Scolaro
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 03, 2008 6:04 PM
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
Steve, if I understood well, that's what we are actually doing by using Restricted Groups GPO: a domain group is added to the local Administrators group of some machines and then we add users to the domain group.
The problem is that each admin-user is granted with admin privilege on all those machines and not on his/her machine only.
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield
Sent: mercoledì 3 dicembre 2008 23.55
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
I just went through this. I created a powershell script that handles most of this centrally on a single DC. My longer goal is to make a single script that does
A) Creates domain group (i have this done)
B) Adds to the local machines Administrators group (I have this done)
C) Adds the 'domain' user to the domain group so they have access (to-do)
D) Additional scripts to update / remove / replace users in the group. (to-do)
Powershell makes this pretty easy. From your description, you are thinking through your requirementrs, but nothing on the market that does what you want. We chose the 'domain' group added to the local machine centralizes administration to a single DC. If you have a separate forest which the user accounts, the 'groups' in the resource domain 'Domain local' so I could add from our 'user' domain.
Hope that makes sense.
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
----- Original Message -----
From: Gabriele Scolaro
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 03, 2008 5:26 PM
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
a. You're right, it sparingly happens. but unfortunately it happens and regional admins are actually doing that manually, but what makes me nervous is the lack of global visibility of users being admins of their workstations. I can't rely on a manually handled list..
b. Sob.. I see that app does not exist.
c. Fully agree, of course. But the choice here is (a) give permanent admin privs or (b) just allow a legitimate priv escalation if/when required by the user. I prefer the second because it might never happen or if it happens the user has to open a ticket, give justifications and that temp-admin assigned priv is tracked, if then the user makes her/himself privileged for ever then it's the user who is breaking the rules/policies
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: mercoledì 3 dicembre 2008 7.20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
a. I would expect this to be such a infrequent thing that pingng the local site admins to do the work to add the person to the admin group shouldn't be all that burdensome. It shouldn't be something being done by the DA's for example. This is way below what most DAs in even medium sized orgs should be worrying about.
b. Yep why not... Someone just needs to sit down and write it. Maybe someone will do it for free but more likely it will require someone believing there is some money to be had. This is a heavy duty scaleable app for anything but a small company.
c. Revoking them but allowing them to have admin some times is self defeating, seriously. You give me admin for a little bit, it is likely I will have it forever after whether you want me to or not. Once you lock a machine down, you can't give that access back or else you have to do a complete audit (but better yet a complete rebuild) to get faith in that machine again. If you lock a machine down in the first place, it is assumed there is a good reason for it, not just because...
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
----------------------------------------------------------------------------
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, December 02, 2008 9:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
A. No, it's not common. But it may happen the business requires some users to be empowered with Admin privileges L at any time so after a machine has been built and assigned to the user.
B. Read other email. If there are tools for resource permission central management, why not Local Admins? J Of course managing laptop and desktop because they might be off-line could be something challenging (that's why a GPO would be great!)
C. Temp Admin is stupid, period. But it's a "compromise" with the user community when you come from "everybody's admin" situation and you start to revoke admin privs to all users ("Hey Joe, I will revoke your privs. BUT I will re-enable you with temp admin privs if you need them!" J.
Also there are cases that working as a non-admin in Windows XP is problematic (es: mobile users when they are out of the company and need to install a printer driver).
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 21.35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
A. I wouldn't call this the normal running situation. If you didn't give admin rights up front, you probably shouldn't be wanting to do it later. If it is a case of we deployed all these and we meant to do it but didn't, then I see that as a one off scriptable event. Anyone you give admin rights to should be someone you wouldn't be terribly worried about giving admin rights to permanently. You give me admin rights to a machine for a little bit, I can very likely make it permanent whether you want that or not.
B. Yeah this would be nice. I actually visualized something that leveraged ADAM to do this but had a couple of problems with it... The first being that ADAM probably won't scale to allow for tens or hundreds of thousands of replicas and the second being that MSFT was silly and made it so ADAM can no longer be loaded on clients; only servers. OpenLDAP may be the answer here.
C. Now this is a whole other thing from what I believe the original issue was. But again, I don't really fully believe in temp admin privs over machines. How do you stop someone from giving themselves the rights permanently? Now this works great for things like say access to mailboxes where you can turn on and off the right easily and getting the right doesn't give permission to side step the security mechanism. Making someone an admin on a machine is giving them the biggest gun they can have for that machine.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
----------------------------------------------------------------------------
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
Yes, but...
a) What about users you need "to privilege" after the machine has been built and released to the them?
b) How to have a global view of who is an administrator of what machine?
c) How to assign temp admin privileges when start-up scripts are not a viable solution? (say road warriors that establish 3rd party VPN connection after they loggend onto their systems with cached credentials? This sounds challenging indeed.).
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
I agree, this is something that is done at build time by the machine builder when setting up the machine for the user in question, then it isn't an administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
----------------------------------------------------------------------------
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
If putting a group into the local administrators group, by definition you want to grant access to a large number of users to a large number of machines.
If you only want the one user to be added to the local admins group, a script that is used at build time is most likely the least effort you can expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:381
| | 12/03/2008 7:45 PM |
| Ah ok. You have a 1:1 group machine mapping, that would be really
manageable at machine build time (say a general script that adds
machinename-Admins group to local Administrators, if the group is
pre-created in AD).
We do it for servers as well, but I assume it would be overkilling for
thousands workstations
no?
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield
Sent: giovedì 4 dicembre 2008 1.10
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
Close, but we aren't using restricted admin setting in GPO. That would
grant everyone access to everyone's machine, defeating the purpose of
selected access. We have 1 domain local group per machine in AD, then add
this group to the local machine. When we grant user access, we add them to
the appropriate domain local group that is on the local machines
administrators group. Hope you follow that...
Here is an example, a group named 'ADM-Webserver1' (Domain Local Group)
which is part of the local administrators group on WebServer1. When a
person needs access to WebServer1, we add them to ADM-WebServer1. This
should be easily scriptable.
I'm no super AD guru like Joe or Brian, but what we did achieved our goals.
Thank you,
Steve Schofield
Windows Server MVP - IIS
<http://weblogs.asp.net/steveschofield>
http://weblogs.asp.net/steveschofield
<http://www.IISLogs.com> http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
----- Original Message -----
From: Gabriele Scolaro <mailto:gabro@gabro.net>
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 03, 2008 6:04 PM
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Steve, if I understood well, thats what we are actually doing by using
Restricted Groups GPO: a domain group is added to the local Administrators
group of some machines and then we add users to the domain group.
The problem is that each admin-user is granted with admin privilege on all
those machines and not on his/her machine only.
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield
Sent: mercoledì 3 dicembre 2008 23.55
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
I just went through this. I created a powershell script that handles most
of this centrally on a single DC. My longer goal is to make a single script
that does
A) Creates domain group (i have this done)
B) Adds to the local machines Administrators group (I have this done)
C) Adds the 'domain' user to the domain group so they have access (to-do)
D) Additional scripts to update / remove / replace users in the group.
(to-do)
Powershell makes this pretty easy. From your description, you are thinking
through your requirementrs, but nothing on the market that does what you
want. We chose the 'domain' group added to the local machine centralizes
administration to a single DC. If you have a separate forest which the user
accounts, the 'groups' in the resource domain 'Domain local' so I could add
from our 'user' domain.
Hope that makes sense.
Thank you,
Steve Schofield
Windows Server MVP - IIS
<http://weblogs.asp.net/steveschofield>
http://weblogs.asp.net/steveschofield
<http://www.IISLogs.com> http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
----- Original Message -----
From: Gabriele Scolaro <mailto:gabro@gabro.net>
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 03, 2008 5:26 PM
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
a. Youre right, it sparingly happens
but unfortunately it happens
and regional admins are actually doing that manually, but what makes me
nervous is the lack of global visibility of users being admins of their
workstations. I cant rely on a manually handled list
.
b. Sob.. I see that app does not exist
c. Fully agree, of course. But the choice here is (a) give permanent
admin privs or (b) just allow a legitimate priv escalation if/when required
by the user. I prefer the second because it might never happen or if it
happens the user has to open a ticket, give justifications and that
temp-admin assigned priv is tracked, if then the user makes her/himself
privileged for ever then its the user who is breaking the rules/policies
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: mercoledì 3 dicembre 2008 7.20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
a. I would expect this to be such a infrequent thing that pingng the local
site admins to do the work to add the person to the admin group shouldn't be
all that burdensome. It shouldn't be something being done by the DA's for
example. This is way below what most DAs in even medium sized orgs should be
worrying about.
b. Yep why not... Someone just needs to sit down and write it. Maybe someone
will do it for free but more likely it will require someone believing there
is some money to be had. This is a heavy duty scaleable app for anything but
a small company.
c. Revoking them but allowing them to have admin some times is self
defeating, seriously. You give me admin for a little bit, it is likely I
will have it forever after whether you want me to or not. Once you lock a
machine down, you can't give that access back or else you have to do a
complete audit (but better yet a complete rebuild) to get faith in that
machine again. If you lock a machine down in the first place, it is assumed
there is a good reason for it, not just because...
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, December 02, 2008 9:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
A. No, its not common. But it may happen the business requires some
users to be empowered with Admin privileges L at any time so after a machine
has been built and assigned to the user.
B. Read other email. If there are tools for resource permission central
management, why not Local Admins? J Of course managing laptop and desktop
because they might be off-line could be something challenging (thats why a
GPO would be great!)
C. Temp Admin is stupid, period. But its a compromise with the user
community when you come from everybodys admin situation and you start to
revoke admin privs to all users (Hey Joe, I will revoke your privs
BUT I
will re-enable you with temp admin privs if you need them! J.
Also there are cases that working as a non-admin in Windows XP is
problematic (es: mobile users when they are out of the company and need to
install a printer driver).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 21.35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
A. I wouldn't call this the normal running situation. If you didn't give
admin rights up front, you probably shouldn't be wanting to do it later. If
it is a case of we deployed all these and we meant to do it but didn't, then
I see that as a one off scriptable event. Anyone you give admin rights to
should be someone you wouldn't be terribly worried about giving admin rights
to permanently. You give me admin rights to a machine for a little bit, I
can very likely make it permanent whether you want that or not.
B. Yeah this would be nice. I actually visualized something that leveraged
ADAM to do this but had a couple of problems with it... The first being that
ADAM probably won't scale to allow for tens or hundreds of thousands of
replicas and the second being that MSFT was silly and made it so ADAM can no
longer be loaded on clients; only servers. OpenLDAP may be the answer here.
C. Now this is a whole other thing from what I believe the original issue
was. But again, I don't really fully believe in temp admin privs over
machines. How do you stop someone from giving themselves the rights
permanently? Now this works great for things like say access to mailboxes
where you can turn on and off the right easily and getting the right doesn't
give permission to side step the security mechanism. Making someone an admin
on a machine is giving them the biggest gun they can have for that machine.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Yes, but...
a) What about users you need to privilege after the machine has been
built and released to the them?
b) How to have a global view of who is an administrator of what
machine?
c) How to assign temp admin privileges when start-up scripts are not a
viable solution? (say road warriors that establish 3rd party VPN connection
after they loggend onto their systems with cached credentials? This sounds
challenging indeed
).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| sbradcpa
Posts:496
| | 12/03/2008 8:24 PM |
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
BeyondTrust | Privilege Manager:
<a class="moz-txt-link-freetext"
href="http://www.beyondtrust.com/products/PrivilegeManager.aspx">http://www.beyondtrust.com/products/PrivilegeManager.aspx</a>
Would that help in any way?
Gabriele Scolaro wrote:
<blockquote cite="mid:005a01c95596$233bb260$69b31720$@net" type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1776170153;
mso-list-type:hybrid;
mso-list-template-ids:236217478 68157465 68157465 68157467 68157455 68157465 68157467 68157455 68157465 68157467;}
@list l0:level1
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoListParagraph" style="text-indent: -18pt;"><!--[if !supportLists]--><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US"><span style="">a.<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><!--[endif]--><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">You’re right, it sparingly
happens… but unfortunately it happens and regional admins are actually
doing that manually, but what makes me nervous is the lack of global
visibility
of users being admins of their workstations. I can’t rely on a manually
handled list….<o:p></o:p></span></p>
<p class="MsoListParagraph"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent: -18pt;"><!--[if !supportLists]--><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US"><span style="">b.<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><!--[endif]--><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">Sob.. I see that app does not
exist…<o:p></o:p></span></p>
<p class="MsoListParagraph"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent: -18pt;"><!--[if !supportLists]--><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US"><span style="">c.<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><!--[endif]--><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">Fully agree, of course. But
the choice here is (a) give permanent admin privs or (b) just allow a
legitimate
priv escalation if/when required by the user. I prefer the second
because it
might never happen or if it happens the user has to open a ticket, give
justifications and that temp-admin assigned priv is tracked, if then
the user
makes her/himself privileged for ever then it’s the user who is
breaking
the rules/policies<o:p></o:p></span></p>
<p class="MsoListParagraph"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">Thanks – Gabriele.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US"><o:p> </o:p></span></p>
<div
style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0cm 0cm 0cm 4pt;">
<div>
<div
style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0cm 0cm;">
<p class="MsoNormal"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"
lang="EN-US">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"
lang="EN-US"> <a class="moz-txt-link-abbreviated"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a>
[<a class="moz-txt-link-freetext"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>]
<b>On Behalf Of </b>joe
<b>Sent:</b> mercoledì 3 dicembre 2008 7.20
<b>To:</b> <a class="moz-txt-link-abbreviated"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a>
<b>Subject:</b> RE: [ActiveDir] How to manage users into machine
local admins
group.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">a.
I would expect this to be such a infrequent thing that pingng
the local site admins to do the work to add the person to the admin
group
shouldn't be all that burdensome. It shouldn't be something being done
by the
DA's for example. This is way below what most DAs in even medium sized
orgs
should be worrying about.</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">b.
Yep why not... Someone just needs to sit down and write it.
Maybe someone will do it for free but more likely it will require
someone believing
there is some money to be had. This is a heavy duty scaleable app for
anything
but a small company. </span><o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">c.
Revoking them but allowing them to have admin some times is self
defeating, seriously. You give me admin for a little bit, it is likely
I will
have it forever after whether you want me to or not. Once you lock a
machine
down, you can't give that access back or else you have to do a complete
audit
(but better yet a complete rebuild) to get faith in that machine again.
If you
lock a machine down in the first place, it is assumed there is a good
reason
for it, not just because...</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">--</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">O'Reilly
Active Directory Fourth Edition - <a moz-do-not-send="true"
href="http://www.joeware.net/win/ad4e.htm"
title="blocked::http://www.joeware.net/win/ad3e.htm">http://www.joeware.net/win/ad4e.htm</a> </span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div class="MsoNormal" style="text-align: center;" align="center"><span
lang="EN-US">
<hr align="center" size="2" width="100%"></span></div>
<p class="MsoNormal" style="margin-bottom: 12pt;"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"
lang="EN-US">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"
lang="EN-US">
<a class="moz-txt-link-abbreviated"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a>
[<a class="moz-txt-link-freetext"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>]
<b>On
Behalf Of </b>Gabriele Scolaro
<b>Sent:</b> Tuesday, December 02, 2008 9:26 PM
<b>To:</b> <a class="moz-txt-link-abbreviated"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a>
<b>Subject:</b> RE: [ActiveDir] How to manage users into machine
local admins
group.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent: -18pt;"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">A.</span><span
style="font-size: 7pt; color: rgb(31, 73, 125);" lang="EN-US"> </span><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">No, it’s not common. But it may happen the business
requires some users to be empowered with Admin privileges </span><span
style="font-size: 11pt; font-family: Wingdings; color: rgb(31, 73, 125);"
lang="EN-US">L</span><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US"> at any time so after a machine has been built and
assigned to
the user.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent: -18pt;"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">B.</span><span
style="font-size: 7pt; color: rgb(31, 73, 125);" lang="EN-US"> </span><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">Read other email. If there are tools for resource
permission
central management, why not Local Admins? </span><span
style="font-size: 11pt; font-family: Wingdings; color: rgb(31, 73, 125);"
lang="EN-US">J</span><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US"> Of course managing laptop and desktop because they might
be
off-line could be something challenging (that’s why a GPO would be
great!)<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent: -18pt;"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">C.</span><span
style="font-size: 7pt; color: rgb(31, 73, 125);" lang="EN-US"> </span><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">Temp Admin is stupid, period. But it’s a
“compromise” with the user community when you come from
“everybody’s admin” situation and you start to revoke admin
privs to all users (“Hey Joe, I will revoke your privs… BUT I will
re-enable you with temp admin privs if you need them!” </span><span
style="font-size: 11pt; font-family: Wingdings; color: rgb(31, 73, 125);"
lang="EN-US">J</span><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoListParagraph"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">Also there are cases that working as a
non-admin in Windows XP is problematic (es: mobile users when they are
out of the company and need to install a printer driver).<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">Thanks – Gabriele.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US"><o:p> </o:p></span></p>
<div
style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0cm 0cm 0cm 4pt;">
<div>
<div
style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0cm 0cm;">
<p class="MsoNormal"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"
lang="EN-US">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"
lang="EN-US"> <a class="moz-txt-link-abbreviated"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a>
[<a class="moz-txt-link-freetext"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>]
<b>On Behalf Of </b>joe
<b>Sent:</b> lunedì 1 dicembre 2008 21.35
<b>To:</b> <a class="moz-txt-link-abbreviated"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a>
<b>Subject:</b> RE: [ActiveDir] How to manage users into machine
local admins
group.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">A.
I wouldn't call this the normal running situation. If you didn't
give admin rights up front, you probably shouldn't be wanting to do it
later.
If it is a case of we deployed all these and we meant to do it but
didn't, then
I see that as a one off scriptable event. Anyone you give admin rights
to
should be someone you wouldn't be terribly worried about giving admin
rights to
permanently. You give me admin rights to a machine for a little bit, I
can very
likely make it permanent whether you want that or not. </span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">B.
Yeah this would be nice. I actually visualized something that
leveraged ADAM to do this but had a couple of problems with it... The
first
being that ADAM probably won't scale to allow for tens or hundreds of
thousands
of replicas and the second being that MSFT was silly and made it so
ADAM can no
longer be loaded on clients; only servers. OpenLDAP may be the answer
here.</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">C.
Now this is a whole other thing from what I believe the original
issue was. But again, I don't really fully believe in temp admin privs
over
machines. How do you stop someone from giving themselves the rights
permanently? Now this works great for things like say access to
mailboxes where
you can turn on and off the right easily and getting the right doesn't
give
permission to side step the security mechanism. Making someone an admin
on a machine is giving them the biggest gun they can have for that
machine.</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">
joe</span><o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">--</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">O'Reilly
Active Directory Third Edition - <a moz-do-not-send="true"
href="http://www.joeware.net/win/ad3e.htm"
title="blocked::http://www.joeware.net/win/ad3e.htm">http://www.joeware.net/win/ad3e.htm</a> </span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div class="MsoNormal" style="text-align: center;" align="center"><span
lang="EN-US">
<hr align="center" size="2" width="100%"></span></div>
<p class="MsoNormal" style="margin-bottom: 12pt;"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"
lang="EN-US">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"
lang="EN-US">
<a class="moz-txt-link-abbreviated"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a>
[<a class="moz-txt-link-freetext"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>]
<b>On
Behalf Of </b>Gabriele Scolaro
<b>Sent:</b> Monday, December 01, 2008 2:54 PM
<b>To:</b> <a class="moz-txt-link-abbreviated"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a>
<b>Subject:</b> RE: [ActiveDir] How to manage users into machine
local admins
group.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Yes,
but...<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent: -18pt;"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">a)</span><span
style="font-size: 7pt; color: rgb(31, 73, 125);" lang="EN-US"> </span><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">What about users you need “to privilege” after the
machine has been built and released to the them?<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent: -18pt;"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">b)</span><span
style="font-size: 7pt; color: rgb(31, 73, 125);" lang="EN-US"> </span><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">How to have a global view of who is an administrator of
what
machine?<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent: -18pt;"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">c)</span><span
style="font-size: 7pt; color: rgb(31, 73, 125);" lang="EN-US"> </span><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">How to assign temp admin privileges when start-up scripts
are
not a viable solution? (say road warriors that establish 3<sup>rd</sup>
party
VPN connection after they loggend onto their systems with cached
credentials?
This sounds challenging indeed…).<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US">Thanks – Gabriele.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"
lang="EN-US"><o:p> </o:p></span></p>
<div
style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0cm 0cm 0cm 4pt;">
<div>
<div
style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0cm 0cm;">
<p class="MsoNormal"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"
lang="EN-US">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"
lang="EN-US"> <a class="moz-txt-link-abbreviated"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a>
[<a class="moz-txt-link-freetext"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>]
<b>On Behalf Of </b>joe
<b>Sent:</b> lunedì 1 dicembre 2008 18.17
<b>To:</b> <a class="moz-txt-link-abbreviated"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a>
<b>Subject:</b> RE: [ActiveDir] How to manage users into machine
local admins
group.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">I
agree, this is something that is done at build time by the
machine builder when setting up the machine for the user in question,
then it
isn't an administrative burden; it is simply part of the build process.</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">
joe</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">--</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">O'Reilly
Active Directory Third Edition - <a moz-do-not-send="true"
href="http://www.joeware.net/win/ad3e.htm"
title="blocked::http://www.joeware.net/win/ad3e.htm">http://www.joeware.net/win/ad3e.htm</a> </span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div class="MsoNormal" style="text-align: center;" align="center"><span
lang="EN-US">
<hr align="center" size="2" width="100%"></span></div>
<p class="MsoNormal" style="margin-bottom: 12pt;"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"
lang="EN-US">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"
lang="EN-US">
<a class="moz-txt-link-abbreviated"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a>
[<a class="moz-txt-link-freetext"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>]
<b>On
Behalf Of </b>Al Mulnick
<b>Sent:</b> Monday, December 01, 2008 11:42 AM
<b>To:</b> <a class="moz-txt-link-abbreviated"
href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a>
<b>Subject:</b> Re: [ActiveDir] How to manage users into machine
local admins
group.</span><span lang="EN-US"><o:p></o:p></span></p>
<div>
<p class="MsoNormal">If putting a group into the local administrators
group, by
definition you want to grant access to a large number of users to a
large
number of machines. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">If you only want the one user to be added to the
local
admins group, a script that is used at build time is most likely the
least
effort you can expend and still achieve your goal. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Just adding them at build time works too. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Am I missing something in your requirements? <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">On Mon, Dec 1, 2008 at 11:31 AM, <<a
moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'gabro'+'@'+'gabro'+'.net')">gabro@gabro.net</a>>
wrote:<o:p></o:p></p>
<p class="MsoNormal">I think it's a long debated story, but what's
the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain
machines.
Thanks - Gabriele.
List info : <a moz-do-not-send="true"
href="http://www.activedir.org/List.aspx" target="_blank">http://www.activedir.org/List.aspx</a>
List FAQ : <a moz-do-not-send="true"
href="http://www.activedir.org/ListFAQ.aspx" target="_blank">http://www.activedir.org/ListFAQ.aspx</a>
List archive: <a moz-do-not-send="true"
href="http://www.activedir.org/ma/default.aspx" target="_blank">http://www.activedir.org/ma/default.aspx</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
</body>
</html>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:381
| | 12/03/2008 9:05 PM |
| Its a GPO extension that sounds really nice!
Have you ever personally used it?
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley, CPA
Sent: giovedì 4 dicembre 2008 2.21
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
BeyondTrust | Privilege Manager:
http://www.beyondtrust.com/products/PrivilegeManager.aspx
Would that help in any way?
Gabriele Scolaro wrote:
Youre right, it sparingly happens
but unfortunately it happens and
regional admins are actually doing that manually, but what makes me nervous
is the lack of global visibility of users being admins of their
workstations. I cant rely on a manually handled list
.
Sob.. I see that app does not exist
Fully agree, of course. But the choice here is (a) give permanent admin
privs or (b) just allow a legitimate priv escalation if/when required by the
user. I prefer the second because it might never happen or if it happens the
user has to open a ticket, give justifications and that temp-admin assigned
priv is tracked, if then the user makes her/himself privileged for ever then
its the user who is breaking the rules/policies
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: mercoledì 3 dicembre 2008 7.20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
a. I would expect this to be such a infrequent thing that pingng the local
site admins to do the work to add the person to the admin group shouldn't be
all that burdensome. It shouldn't be something being done by the DA's for
example. This is way below what most DAs in even medium sized orgs should be
worrying about.
b. Yep why not... Someone just needs to sit down and write it. Maybe someone
will do it for free but more likely it will require someone believing there
is some money to be had. This is a heavy duty scaleable app for anything but
a small company.
c. Revoking them but allowing them to have admin some times is self
defeating, seriously. You give me admin for a little bit, it is likely I
will have it forever after whether you want me to or not. Once you lock a
machine down, you can't give that access back or else you have to do a
complete audit (but better yet a complete rebuild) to get faith in that
machine again. If you lock a machine down in the first place, it is assumed
there is a good reason for it, not just because...
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, December 02, 2008 9:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
A. No, its not common. But it may happen the business requires some
users to be empowered with Admin privileges L at any time so after a machine
has been built and assigned to the user.
B. Read other email. If there are tools for resource permission central
management, why not Local Admins? J Of course managing laptop and desktop
because they might be off-line could be something challenging (thats why a
GPO would be great!)
C. Temp Admin is stupid, period. But its a compromise with the user
community when you come from everybodys admin situation and you start to
revoke admin privs to all users (Hey Joe, I will revoke your privs
BUT I
will re-enable you with temp admin privs if you need them! J.
Also there are cases that working as a non-admin in Windows XP is
problematic (es: mobile users when they are out of the company and need to
install a printer driver).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 21.35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
A. I wouldn't call this the normal running situation. If you didn't give
admin rights up front, you probably shouldn't be wanting to do it later. If
it is a case of we deployed all these and we meant to do it but didn't, then
I see that as a one off scriptable event. Anyone you give admin rights to
should be someone you wouldn't be terribly worried about giving admin rights
to permanently. You give me admin rights to a machine for a little bit, I
can very likely make it permanent whether you want that or not.
B. Yeah this would be nice. I actually visualized something that leveraged
ADAM to do this but had a couple of problems with it... The first being that
ADAM probably won't scale to allow for tens or hundreds of thousands of
replicas and the second being that MSFT was silly and made it so ADAM can no
longer be loaded on clients; only servers. OpenLDAP may be the answer here.
C. Now this is a whole other thing from what I believe the original issue
was. But again, I don't really fully believe in temp admin privs over
machines. How do you stop someone from giving themselves the rights
permanently? Now this works great for things like say access to mailboxes
where you can turn on and off the right easily and getting the right doesn't
give permission to side step the security mechanism. Making someone an admin
on a machine is giving them the biggest gun they can have for that machine.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Yes, but...
a) What about users you need to privilege after the machine has been
built and released to the them?
b) How to have a global view of who is an administrator of what
machine?
c) How to assign temp admin privileges when start-up scripts are not a
viable solution? (say road warriors that establish 3rd party VPN connection
after they loggend onto their systems with cached credentials? This sounds
challenging indeed
).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ma/default.aspx
| | | |
| darren
Posts:329
| | 12/03/2008 9:42 PM |
| It doesnt directly address your issue but it does solve certain classes of
problems. If your goal is to get to Least Privilege Use on your desktops,
then you know that its extremely hard to do that if you have any decent size
number of apps and different types of users. What Privilege Manager does is
essentially let you elevate applications and processes on a per-app/process
basis. So you run your users as normal user and then you deploy rules as to
which apps get elevated, using Group Policy. The Privilege Manager client
essentially reads those rules, and when a user runs an elevated app, the
token that that app runs in gets an administrative token added to it, just
as if it were being run by an administrator, but instead only that app runs
as admin.
I think its an excellent product and solves some key problems, but Im not
sure that is exactly what you were trying to solve here?
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare
http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Wednesday, December 03, 2008 6:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Its a GPO extension that sounds really nice!
Have you ever personally used it?
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley, CPA
Sent: giovedì 4 dicembre 2008 2.21
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
BeyondTrust | Privilege Manager:
http://www.beyondtrust.com/products/PrivilegeManager.aspx
Would that help in any way?
Gabriele Scolaro wrote:
Youre right, it sparingly happens
but unfortunately it happens and
regional admins are actually doing that manually, but what makes me nervous
is the lack of global visibility of users being admins of their
workstations. I cant rely on a manually handled list
.
Sob.. I see that app does not exist
Fully agree, of course. But the choice here is (a) give permanent admin
privs or (b) just allow a legitimate priv escalation if/when required by the
user. I prefer the second because it might never happen or if it happens the
user has to open a ticket, give justifications and that temp-admin assigned
priv is tracked, if then the user makes her/himself privileged for ever then
its the user who is breaking the rules/policies
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: mercoledì 3 dicembre 2008 7.20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
a. I would expect this to be such a infrequent thing that pingng the local
site admins to do the work to add the person to the admin group shouldn't be
all that burdensome. It shouldn't be something being done by the DA's for
example. This is way below what most DAs in even medium sized orgs should be
worrying about.
b. Yep why not... Someone just needs to sit down and write it. Maybe someone
will do it for free but more likely it will require someone believing there
is some money to be had. This is a heavy duty scaleable app for anything but
a small company.
c. Revoking them but allowing them to have admin some times is self
defeating, seriously. You give me admin for a little bit, it is likely I
will have it forever after whether you want me to or not. Once you lock a
machine down, you can't give that access back or else you have to do a
complete audit (but better yet a complete rebuild) to get faith in that
machine again. If you lock a machine down in the first place, it is assumed
there is a good reason for it, not just because...
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, December 02, 2008 9:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
A. No, its not common. But it may happen the business requires some
users to be empowered with Admin privileges L at any time so after a machine
has been built and assigned to the user.
B. Read other email. If there are tools for resource permission central
management, why not Local Admins? J Of course managing laptop and desktop
because they might be off-line could be something challenging (thats why a
GPO would be great!)
C. Temp Admin is stupid, period. But its a compromise with the user
community when you come from everybodys admin situation and you start to
revoke admin privs to all users (Hey Joe, I will revoke your privs
BUT I
will re-enable you with temp admin privs if you need them! J.
Also there are cases that working as a non-admin in Windows XP is
problematic (es: mobile users when they are out of the company and need to
install a printer driver).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 21.35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
A. I wouldn't call this the normal running situation. If you didn't give
admin rights up front, you probably shouldn't be wanting to do it later. If
it is a case of we deployed all these and we meant to do it but didn't, then
I see that as a one off scriptable event. Anyone you give admin rights to
should be someone you wouldn't be terribly worried about giving admin rights
to permanently. You give me admin rights to a machine for a little bit, I
can very likely make it permanent whether you want that or not.
B. Yeah this would be nice. I actually visualized something that leveraged
ADAM to do this but had a couple of problems with it... The first being that
ADAM probably won't scale to allow for tens or hundreds of thousands of
replicas and the second being that MSFT was silly and made it so ADAM can no
longer be loaded on clients; only servers. OpenLDAP may be the answer here.
C. Now this is a whole other thing from what I believe the original issue
was. But again, I don't really fully believe in temp admin privs over
machines. How do you stop someone from giving themselves the rights
permanently? Now this works great for things like say access to mailboxes
where you can turn on and off the right easily and getting the right doesn't
give permission to side step the security mechanism. Making someone an admin
on a machine is giving them the biggest gun they can have for that machine.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Yes, but...
a) What about users you need to privilege after the machine has been
built and released to the them?
b) How to have a global view of who is an administrator of what
machine?
c) How to assign temp admin privileges when start-up scripts are not a
viable solution? (say road warriors that establish 3rd party VPN connection
after they loggend onto their systems with cached credentials? This sounds
challenging indeed
).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ma/default.aspx
| | | |
| sslists
Posts:44
| | 12/03/2008 9:46 PM |
| All depends on the process which manages it. If it's at that scale, totally automate it and integrate into the process, it would be possible. But, remote machines I imagine would be tricky. I would just make them a local admin, have a policy in place you mess up your box, it gets paved and reloaded to corporate standard. Technology can't save everything, espcially from 'end-users'. If they are 'end-users', they probably don't need local admin
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
----- Original Message -----
From: Gabriele Scolaro
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 03, 2008 7:40 PM
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
Ah ok. You have a 1:1 group - machine mapping, that would be really manageable at machine build time (say a general script that adds machinename-Admins group to local Administrators, if the group is pre-created in AD).
We do it for servers as well, but I assume it would be overkilling for thousands workstations.no?
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield
Sent: giovedì 4 dicembre 2008 1.10
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
Close, but we aren't using restricted admin setting in GPO. That would grant everyone access to everyone's machine, defeating the purpose of selected access. We have 1 domain local group per machine in AD, then add this group to the local machine. When we grant user access, we add them to the appropriate domain local group that is on the local machines administrators group. Hope you follow that...
Here is an example, a group named 'ADM-Webserver1' (Domain Local Group) which is part of the local administrators group on WebServer1. When a person needs access to WebServer1, we add them to ADM-WebServer1. This should be easily scriptable.
I'm no super AD guru like Joe or Brian, but what we did achieved our goals.
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
----- Original Message -----
From: Gabriele Scolaro
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 03, 2008 6:04 PM
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
Steve, if I understood well, that's what we are actually doing by using Restricted Groups GPO: a domain group is added to the local Administrators group of some machines and then we add users to the domain group.
The problem is that each admin-user is granted with admin privilege on all those machines and not on his/her machine only.
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield
Sent: mercoledì 3 dicembre 2008 23.55
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
I just went through this. I created a powershell script that handles most of this centrally on a single DC. My longer goal is to make a single script that does
A) Creates domain group (i have this done)
B) Adds to the local machines Administrators group (I have this done)
C) Adds the 'domain' user to the domain group so they have access (to-do)
D) Additional scripts to update / remove / replace users in the group. (to-do)
Powershell makes this pretty easy. From your description, you are thinking through your requirementrs, but nothing on the market that does what you want. We chose the 'domain' group added to the local machine centralizes administration to a single DC. If you have a separate forest which the user accounts, the 'groups' in the resource domain 'Domain local' so I could add from our 'user' domain.
Hope that makes sense.
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
----- Original Message -----
From: Gabriele Scolaro
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 03, 2008 5:26 PM
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
a. You're right, it sparingly happens. but unfortunately it happens and regional admins are actually doing that manually, but what makes me nervous is the lack of global visibility of users being admins of their workstations. I can't rely on a manually handled list..
b. Sob.. I see that app does not exist.
c. Fully agree, of course. But the choice here is (a) give permanent admin privs or (b) just allow a legitimate priv escalation if/when required by the user. I prefer the second because it might never happen or if it happens the user has to open a ticket, give justifications and that temp-admin assigned priv is tracked, if then the user makes her/himself privileged for ever then it's the user who is breaking the rules/policies
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: mercoledì 3 dicembre 2008 7.20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
a. I would expect this to be such a infrequent thing that pingng the local site admins to do the work to add the person to the admin group shouldn't be all that burdensome. It shouldn't be something being done by the DA's for example. This is way below what most DAs in even medium sized orgs should be worrying about.
b. Yep why not... Someone just needs to sit down and write it. Maybe someone will do it for free but more likely it will require someone believing there is some money to be had. This is a heavy duty scaleable app for anything but a small company.
c. Revoking them but allowing them to have admin some times is self defeating, seriously. You give me admin for a little bit, it is likely I will have it forever after whether you want me to or not. Once you lock a machine down, you can't give that access back or else you have to do a complete audit (but better yet a complete rebuild) to get faith in that machine again. If you lock a machine down in the first place, it is assumed there is a good reason for it, not just because...
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
--------------------------------------------------------------------------
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, December 02, 2008 9:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
A. No, it's not common. But it may happen the business requires some users to be empowered with Admin privileges L at any time so after a machine has been built and assigned to the user.
B. Read other email. If there are tools for resource permission central management, why not Local Admins? J Of course managing laptop and desktop because they might be off-line could be something challenging (that's why a GPO would be great!)
C. Temp Admin is stupid, period. But it's a "compromise" with the user community when you come from "everybody's admin" situation and you start to revoke admin privs to all users ("Hey Joe, I will revoke your privs. BUT I will re-enable you with temp admin privs if you need them!" J.
Also there are cases that working as a non-admin in Windows XP is problematic (es: mobile users when they are out of the company and need to install a printer driver).
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 21.35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
A. I wouldn't call this the normal running situation. If you didn't give admin rights up front, you probably shouldn't be wanting to do it later. If it is a case of we deployed all these and we meant to do it but didn't, then I see that as a one off scriptable event. Anyone you give admin rights to should be someone you wouldn't be terribly worried about giving admin rights to permanently. You give me admin rights to a machine for a little bit, I can very likely make it permanent whether you want that or not.
B. Yeah this would be nice. I actually visualized something that leveraged ADAM to do this but had a couple of problems with it... The first being that ADAM probably won't scale to allow for tens or hundreds of thousands of replicas and the second being that MSFT was silly and made it so ADAM can no longer be loaded on clients; only servers. OpenLDAP may be the answer here.
C. Now this is a whole other thing from what I believe the original issue was. But again, I don't really fully believe in temp admin privs over machines. How do you stop someone from giving themselves the rights permanently? Now this works great for things like say access to mailboxes where you can turn on and off the right easily and getting the right doesn't give permission to side step the security mechanism. Making someone an admin on a machine is giving them the biggest gun they can have for that machine.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
--------------------------------------------------------------------------
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
Yes, but...
a) What about users you need "to privilege" after the machine has been built and released to the them?
b) How to have a global view of who is an administrator of what machine?
c) How to assign temp admin privileges when start-up scripts are not a viable solution? (say road warriors that establish 3rd party VPN connection after they loggend onto their systems with cached credentials? This sounds challenging indeed.).
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
I agree, this is something that is done at build time by the machine builder when setting up the machine for the user in question, then it isn't an administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
--------------------------------------------------------------------------
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
If putting a group into the local administrators group, by definition you want to grant access to a large number of users to a large number of machines.
If you only want the one user to be added to the local admins group, a script that is used at build time is most likely the least effort you can expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| MThommes
Posts:106
| | 12/03/2008 9:56 PM |
| We're starting to roll out Privilege Manager. I wish they would license the product in a different manner. From what I understand, all computers that are using Privilege Manager must be in the same OU. Unfortunately, our workstations' AD locations are dispersed based on an organizational structure.
Mike Thommes
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, December 03, 2008 8:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
It doesn't directly address your issue but it does solve certain classes of problems. If your goal is to get to Least Privilege Use on your desktops, then you know that its extremely hard to do that if you have any decent size number of apps and different types of users. What Privilege Manager does is essentially let you elevate applications and processes on a per-app/process basis. So you run your users as normal user and then you deploy rules as to which apps get elevated, using Group Policy. The Privilege Manager client essentially reads those rules, and when a user runs an "elevated" app, the token that that app runs in gets an administrative token added to it, just as if it were being run by an administrator, but instead only that app runs as admin.
I think its an excellent product and solves some key problems, but I'm not sure that is exactly what you were trying to solve here?
Darren
****
Darren Mar-Elia
CTO & Founder
SDM Software, Inc.
"The Group Policy Experts"
www.sdmsoftware.com <http://www.sdmsoftware.com/>
Spot and report on GPO inconsistencies quickly with GPO Compare http://www.sdmsoftware.com/group_policy_compare
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Wednesday, December 03, 2008 6:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
It's a GPO extension that sounds really nice!
Have you ever personally used it?
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley, CPA
Sent: giovedì 4 dicembre 2008 2.21
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
BeyondTrust | Privilege Manager:
http://www.beyondtrust.com/products/PrivilegeManager.aspx
Would that help in any way?
Gabriele Scolaro wrote:
You're right, it sparingly happens... but unfortunately it happens and regional admins are actually doing that manually, but what makes me nervous is the lack of global visibility of users being admins of their workstations. I can't rely on a manually handled list....
Sob.. I see that app does not exist...
Fully agree, of course. But the choice here is (a) give permanent admin privs or (b) just allow a legitimate priv escalation if/when required by the user. I prefer the second because it might never happen or if it happens the user has to open a ticket, give justifications and that temp-admin assigned priv is tracked, if then the user makes her/himself privileged for ever then it's the user who is breaking the rules/policies
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: mercoledì 3 dicembre 2008 7.20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
a. I would expect this to be such a infrequent thing that pingng the local site admins to do the work to add the person to the admin group shouldn't be all that burdensome. It shouldn't be something being done by the DA's for example. This is way below what most DAs in even medium sized orgs should be worrying about.
b. Yep why not... Someone just needs to sit down and write it. Maybe someone will do it for free but more likely it will require someone believing there is some money to be had. This is a heavy duty scaleable app for anything but a small company.
c. Revoking them but allowing them to have admin some times is self defeating, seriously. You give me admin for a little bit, it is likely I will have it forever after whether you want me to or not. Once you lock a machine down, you can't give that access back or else you have to do a complete audit (but better yet a complete rebuild) to get faith in that machine again. If you lock a machine down in the first place, it is assumed there is a good reason for it, not just because...
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, December 02, 2008 9:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
A. No, it's not common. But it may happen the business requires some users to be empowered with Admin privileges :-( at any time so after a machine has been built and assigned to the user.
B. Read other email. If there are tools for resource permission central management, why not Local Admins? :-) Of course managing laptop and desktop because they might be off-line could be something challenging (that's why a GPO would be great!)
C. Temp Admin is stupid, period. But it's a "compromise" with the user community when you come from "everybody's admin" situation and you start to revoke admin privs to all users ("Hey Joe, I will revoke your privs... BUT I will re-enable you with temp admin privs if you need them!" :-).
Also there are cases that working as a non-admin in Windows XP is problematic (es: mobile users when they are out of the company and need to install a printer driver).
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 21.35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
A. I wouldn't call this the normal running situation. If you didn't give admin rights up front, you probably shouldn't be wanting to do it later. If it is a case of we deployed all these and we meant to do it but didn't, then I see that as a one off scriptable event. Anyone you give admin rights to should be someone you wouldn't be terribly worried about giving admin rights to permanently. You give me admin rights to a machine for a little bit, I can very likely make it permanent whether you want that or not.
B. Yeah this would be nice. I actually visualized something that leveraged ADAM to do this but had a couple of problems with it... The first being that ADAM probably won't scale to allow for tens or hundreds of thousands of replicas and the second being that MSFT was silly and made it so ADAM can no longer be loaded on clients; only servers. OpenLDAP may be the answer here.
C. Now this is a whole other thing from what I believe the original issue was. But again, I don't really fully believe in temp admin privs over machines. How do you stop someone from giving themselves the rights permanently? Now this works great for things like say access to mailboxes where you can turn on and off the right easily and getting the right doesn't give permission to side step the security mechanism. Making someone an admin on a machine is giving them the biggest gun they can have for that machine.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
Yes, but...
a) What about users you need "to privilege" after the machine has been built and released to the them?
b) How to have a global view of who is an administrator of what machine?
c) How to assign temp admin privileges when start-up scripts are not a viable solution? (say road warriors that establish 3rd party VPN connection after they loggend onto their systems with cached credentials? This sounds challenging indeed...).
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins group.
I agree, this is something that is done at build time by the machine builder when setting up the machine for the user in question, then it isn't an administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins group.
If putting a group into the local administrators group, by definition you want to grant access to a large number of users to a large number of machines.
If you only want the one user to be added to the local admins group, a script that is used at build time is most likely the least effort you can expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
| | | |
| listmail
Posts:763
| | 12/04/2008 3:16 AM |
| Yeah, that makes me ask again, how many machines in your forest are you
managing this way?
If more than a few hundred I think I would recommend spinning up ADAM,
keeping the groups in ADAM and then having a script service or scheduled
task that runs on the workstations and adds the membership via what it sees
in ADAM. I wouldn't likely want to create all those security groups in AD
but I would have to think about it. I just visualize replicating a couple
hundred thousand groups to my South American WAN sites that are applicable
to just a single machine each...
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield
Sent: Wednesday, December 03, 2008 7:10 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
Close, but we aren't using restricted admin setting in GPO. That would
grant everyone access to everyone's machine, defeating the purpose of
selected access. We have 1 domain local group per machine in AD, then add
this group to the local machine. When we grant user access, we add them to
the appropriate domain local group that is on the local machines
administrators group. Hope you follow that...
Here is an example, a group named 'ADM-Webserver1' (Domain Local Group)
which is part of the local administrators group on WebServer1. When a
person needs access to WebServer1, we add them to ADM-WebServer1. This
should be easily scriptable.
I'm no super AD guru like Joe or Brian, but what we did achieved our goals.
Thank you,
Steve Schofield
Windows Server MVP - IIS
<http://weblogs.asp.net/steveschofield>
http://weblogs.asp.net/steveschofield
<http://www.IISLogs.com> http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
----- Original Message -----
From: Gabriele Scolaro <mailto:gabro@gabro.net>
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 03, 2008 6:04 PM
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Steve, if I understood well, thats what we are actually doing by using
Restricted Groups GPO: a domain group is added to the local Administrators
group of some machines and then we add users to the domain group.
The problem is that each admin-user is granted with admin privilege on all
those machines and not on his/her machine only.
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield
Sent: mercoledì 3 dicembre 2008 23.55
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
I just went through this. I created a powershell script that handles most
of this centrally on a single DC. My longer goal is to make a single script
that does
A) Creates domain group (i have this done)
B) Adds to the local machines Administrators group (I have this done)
C) Adds the 'domain' user to the domain group so they have access (to-do)
D) Additional scripts to update / remove / replace users in the group.
(to-do)
Powershell makes this pretty easy. From your description, you are thinking
through your requirementrs, but nothing on the market that does what you
want. We chose the 'domain' group added to the local machine centralizes
administration to a single DC. If you have a separate forest which the user
accounts, the 'groups' in the resource domain 'Domain local' so I could add
from our 'user' domain.
Hope that makes sense.
Thank you,
Steve Schofield
Windows Server MVP - IIS
<http://weblogs.asp.net/steveschofield>
http://weblogs.asp.net/steveschofield
<http://www.IISLogs.com> http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
----- Original Message -----
From: Gabriele Scolaro <mailto:gabro@gabro.net>
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 03, 2008 5:26 PM
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
a. Youre right, it sparingly happens
but unfortunately it happens
and regional admins are actually doing that manually, but what makes me
nervous is the lack of global visibility of users being admins of their
workstations. I cant rely on a manually handled list
.
b. Sob.. I see that app does not exist
c. Fully agree, of course. But the choice here is (a) give permanent
admin privs or (b) just allow a legitimate priv escalation if/when required
by the user. I prefer the second because it might never happen or if it
happens the user has to open a ticket, give justifications and that
temp-admin assigned priv is tracked, if then the user makes her/himself
privileged for ever then its the user who is breaking the rules/policies
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: mercoledì 3 dicembre 2008 7.20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
a. I would expect this to be such a infrequent thing that pingng the local
site admins to do the work to add the person to the admin group shouldn't be
all that burdensome. It shouldn't be something being done by the DA's for
example. This is way below what most DAs in even medium sized orgs should be
worrying about.
b. Yep why not... Someone just needs to sit down and write it. Maybe someone
will do it for free but more likely it will require someone believing there
is some money to be had. This is a heavy duty scaleable app for anything but
a small company.
c. Revoking them but allowing them to have admin some times is self
defeating, seriously. You give me admin for a little bit, it is likely I
will have it forever after whether you want me to or not. Once you lock a
machine down, you can't give that access back or else you have to do a
complete audit (but better yet a complete rebuild) to get faith in that
machine again. If you lock a machine down in the first place, it is assumed
there is a good reason for it, not just because...
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, December 02, 2008 9:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
A. No, its not common. But it may happen the business requires some
users to be empowered with Admin privileges L at any time so after a machine
has been built and assigned to the user.
B. Read other email. If there are tools for resource permission central
management, why not Local Admins? J Of course managing laptop and desktop
because they might be off-line could be something challenging (thats why a
GPO would be great!)
C. Temp Admin is stupid, period. But its a compromise with the user
community when you come from everybodys admin situation and you start to
revoke admin privs to all users (Hey Joe, I will revoke your privs
BUT I
will re-enable you with temp admin privs if you need them! J.
Also there are cases that working as a non-admin in Windows XP is
problematic (es: mobile users when they are out of the company and need to
install a printer driver).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 21.35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
A. I wouldn't call this the normal running situation. If you didn't give
admin rights up front, you probably shouldn't be wanting to do it later. If
it is a case of we deployed all these and we meant to do it but didn't, then
I see that as a one off scriptable event. Anyone you give admin rights to
should be someone you wouldn't be terribly worried about giving admin rights
to permanently. You give me admin rights to a machine for a little bit, I
can very likely make it permanent whether you want that or not.
B. Yeah this would be nice. I actually visualized something that leveraged
ADAM to do this but had a couple of problems with it... The first being that
ADAM probably won't scale to allow for tens or hundreds of thousands of
replicas and the second being that MSFT was silly and made it so ADAM can no
longer be loaded on clients; only servers. OpenLDAP may be the answer here.
C. Now this is a whole other thing from what I believe the original issue
was. But again, I don't really fully believe in temp admin privs over
machines. How do you stop someone from giving themselves the rights
permanently? Now this works great for things like say access to mailboxes
where you can turn on and off the right easily and getting the right doesn't
give permission to side step the security mechanism. Making someone an admin
on a machine is giving them the biggest gun they can have for that machine.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, December 01, 2008 2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
Yes, but...
a) What about users you need to privilege after the machine has been
built and released to the them?
b) How to have a global view of who is an administrator of what
machine?
c) How to assign temp admin privileges when start-up scripts are not a
viable solution? (say road warriors that establish 3rd party VPN connection
after they loggend onto their systems with cached credentials? This sounds
challenging indeed
).
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: lunedì 1 dicembre 2008 18.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to manage users into machine local admins
group.
I agree, this is something that is done at build time by the machine builder
when setting up the machine for the user in question, then it isn't an
administrative burden; it is simply part of the build process.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, December 01, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to manage users into machine local admins
group.
If putting a group into the local administrators group, by definition you
want to grant access to a large number of users to a large number of
machines.
If you only want the one user to be added to the local admins group, a
script that is used at build time is most likely the least effort you can
expend and still achieve your goal.
Just adding them at build time works too.
Am I missing something in your requirements?
On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
I think it's a long debated story, but what's the best
practice/approach/tool to empower certain users (such as swdevs) to be
admins of their own machines?
Manually putting a user into the local administrators group is a burden
(also startup scripts does not work in many conditions), also creating
an AD security group that is member of local Administrators group of
certain computers and add users to that AD group is manageable but an
"admin user" is granted admin privilege to all those certain machines.
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| kamleshap
Posts:51
| | 12/04/2008 7:38 AM |
| Well I had created very basic tool like that using vbscript, lg.exe and
group policies.
The system took care of adding and removing user from admin group
automatically remotely.
Once a request comes you add computername, username, startdate , enddate
into a simple flat file shared on network.
There is scheduled task, which wakes up every 5 min and checks if there is
any work for it like adding or removing user.
If it is it would put that in the queue for another process to act on it.
this worker process (involving lg.exe) would connect and add/remove the
useraccount in remote machine and send a popup to user for logoff and login
to make it effective.
Thirdly we had a vbscript scheduled at user logoff and computer startup in
GPO, which would refer to this flat file and act on it.
This way what was defined in flat file becomes official list of admins on
any workstation.
Ofcourse we had planned for exceptions and adding group or user into
multiple or all computers by specifying * for computername or spcifying
partialname* for computername. We also had good reporting done on it.
It was not full proof but then it made security guys happy and took care of
lot of overhead for admins.
Sadly, I am not sure, If i can share those scripts, but you get the idea.
If OP plans to do something like that and need any help here and there let
me know.
~Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Argue for your limitations, and sure enough, they're yours.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Wed, Dec 3, 2008 at 1:12 AM, joe <listmail@joeware.net> wrote:
> Yeah a similar tool could be built for managing the admins group. I am
> unsure if I would use the same app for both. Would have to think through it.
>
>
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gabriele Scolaro
> *Sent:* Tuesday, December 02, 2008 8:56 PM
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] How to manage users into machine local admins
> group.
>
> Option 3 would be great! J
>
>
>
> Anyway I recall recently there was a discussion on this list about how to
> manage AD groups to grant access to resources and someone stated (don't
> recall if it were you) that the best approach - also to avoid the SID bloat
> - was to use machine local security groups for resource permission and that
> "distributed" configuration was centrally done with a database-driven
> management application who had full privileges on any server.
>
> Well, it would be great to have a similar application to 1:1 manage and
> control localadmins and workstations they are admins over, "Administrators"
> is just a machine local security group like those someone suggested to be
> used for ACLing resource objects, no??
>
>
>
> Thanks – Gabriele.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *joe
> *Sent:* lunedì 1 dicembre 2008 21.29
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] How to manage users into machine local admins
> group.
>
>
>
> I think Al is describing a "checkout admin" system. It is implemented in
> various ways in different companies, I have seen it for DA/EA privs, I have
> seen it for local admin privs, I have seen it for Exchange mailbox access
> (actually only saw that once because I wrote it).
>
>
>
> So this checkout system could be...
>
>
>
> 1. A password motel where you have a fixed ID with a locked up password and
> if someone wants access, they contact the holder of the keys and he/she
> gives out the info and then changes the password and lockes that up when
> they are done. This is an ok system but doesn't scale.
>
>
>
> 2. Similar to 1 but automated through a web site.
>
>
>
> 3. A website you go to that has perms everywhere and then adds your
> specific ID to the groups or ACLs as necessary.
>
>
>
>
>
> Of course someone could build a whole agent/console configuration to do
> this but I am not sure the need is all that great. Does the list think
> otherwise? If so, what would someone pay to have this functionality? You
> install an agent on any machines you want managed (regardless of
> domain/forest/whatever) and then you can manage the admin rights on the box
> from a central console. Knowing full well that if the console machine were
> compromised, all machines managed by it could also be compromised.
>
>
>
> joe
>
>
>
>
>
> --
>
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
>
>
>
> ------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gabriele Scolaro
> *Sent:* Monday, December 01, 2008 3:11 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] How to manage users into machine local admins
> group.
>
> So you mean the helpdesk personnel to "manually" add the user account to
> local Administrators group (snap-in or script) and then "manually" remove
> the user?
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
> *Sent:* lunedì 1 dicembre 2008 21.00
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] How to manage users into machine local admins
> group.
>
>
>
> Another situation that might warrant this is giving admin access to
> helpdesk personnel for a temporary time. Let them elevate their privs.
>
>
>
> Al
>
> On Mon, Dec 1, 2008 at 2:53 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
>
> Yes, but...
>
>
>
> a) What about users you need "to privilege" after the machine has
> been built and released to the them?
>
> b) How to have a global view of who is an administrator of what
> machine?
>
> c) How to assign temp admin privileges when start-up scripts are not
> a viable solution? (say road warriors that establish 3rd party VPN
> connection after they loggend onto their systems with cached credentials?
> This sounds challenging indeed…).
>
>
>
> Thanks – Gabriele.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *joe
> *Sent:* lunedì 1 dicembre 2008 18.17
>
>
> *To:* ActiveDir@mail.activedir.org
>
> *Subject:* RE: [ActiveDir] How to manage users into machine local admins
> group.
>
>
>
> I agree, this is something that is done at build time by the machine
> builder when setting up the machine for the user in question, then it isn't
> an administrative burden; it is simply part of the build process.
>
>
>
> joe
>
>
>
> --
>
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
>
>
>
> ------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
> *Sent:* Monday, December 01, 2008 11:42 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] How to manage users into machine local admins
> group.
>
> If putting a group into the local administrators group, by definition you
> want to grant access to a large number of users to a large number of
> machines.
>
> If you only want the one user to be added to the local admins group, a
> script that is used at build time is most likely the least effort you can
> expend and still achieve your goal.
>
>
>
> Just adding them at build time works too.
>
>
>
> Am I missing something in your requirements?
>
>
>
>
>
> On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote:
>
> I think it's a long debated story, but what's the best
> practice/approach/tool to empower certain users (such as swdevs) to be
> admins of their own machines?
>
> Manually putting a user into the local administrators group is a burden
> (also startup scripts does not work in many conditions), also creating
> an AD security group that is member of local Administrators group of
> certain computers and add users to that AD group is manageable but an
> "admin user" is granted admin privilege to all those certain machines.
>
> Thanks - Gabriele.
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
>
| | | |
|
|