List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: [ActiveDir] How to manage users into machine local admins group.

Prev Next

You are not authorized to post a reply.

Page 3 of 3

Author

Messages

bdesmond

Posts:843

12/04/2008 11:58 AM
Why not? Groups are more or less free. Thanks, Brian Desmond brian@briandesmond.com c - 312.731.3132 From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: Thursday, December 04, 2008 2:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. Yeah, that makes me ask again, how many machines in your forest are you managing this way? If more than a few hundred I think I would recommend spinning up ADAM, keeping the groups in ADAM and then having a script service or scheduled task that runs on the workstations and adds the membership via what it sees in ADAM. I wouldn't likely want to create all those security groups in AD but I would have to think about it. I just visualize replicating a couple hundred thousand groups to my South American WAN sites that are applicable to just a single machine each... joe -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm ________________________________ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield Sent: Wednesday, December 03, 2008 7:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. Close, but we aren't using restricted admin setting in GPO. That would grant everyone access to everyone's machine, defeating the purpose of selected access. We have 1 domain local group per machine in AD, then add this group to the local machine. When we grant user access, we add them to the appropriate domain local group that is on the local machines administrators group. Hope you follow that... Here is an example, a group named 'ADM-Webserver1' (Domain Local Group) which is part of the local administrators group on WebServer1. When a person needs access to WebServer1, we add them to ADM-WebServer1. This should be easily scriptable. I'm no super AD guru like Joe or Brian, but what we did achieved our goals. Thank you, Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget ----- Original Message ----- From: Gabriele Scolaro<mailto:gabro@gabro.net> To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org> Sent: Wednesday, December 03, 2008 6:04 PM Subject: RE: [ActiveDir] How to manage users into machine local admins group. Steve, if I understood well, that's what we are actually doing by using Restricted Groups GPO: a domain group is added to the local Administrators group of some machines and then we add users to the domain group. The problem is that each admin-user is granted with admin privilege on all those machines and not on his/her machine only. Thanks - Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield Sent: mercoledì 3 dicembre 2008 23.55 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. I just went through this. I created a powershell script that handles most of this centrally on a single DC. My longer goal is to make a single script that does A) Creates domain group (i have this done) B) Adds to the local machines Administrators group (I have this done) C) Adds the 'domain' user to the domain group so they have access (to-do) D) Additional scripts to update / remove / replace users in the group. (to-do) Powershell makes this pretty easy. From your description, you are thinking through your requirementrs, but nothing on the market that does what you want. We chose the 'domain' group added to the local machine centralizes administration to a single DC. If you have a separate forest which the user accounts, the 'groups' in the resource domain 'Domain local' so I could add from our 'user' domain. Hope that makes sense. Thank you, Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget ----- Original Message ----- From: Gabriele Scolaro<mailto:gabro@gabro.net> To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org> Sent: Wednesday, December 03, 2008 5:26 PM Subject: RE: [ActiveDir] How to manage users into machine local admins group. a. You're right, it sparingly happens... but unfortunately it happens and regional admins are actually doing that manually, but what makes me nervous is the lack of global visibility of users being admins of their workstations. I can't rely on a manually handled list.... b. Sob.. I see that app does not exist... c. Fully agree, of course. But the choice here is (a) give permanent admin privs or (b) just allow a legitimate priv escalation if/when required by the user. I prefer the second because it might never happen or if it happens the user has to open a ticket, give justifications and that temp-admin assigned priv is tracked, if then the user makes her/himself privileged for ever then it's the user who is breaking the rules/policies Thanks - Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: mercoledì 3 dicembre 2008 7.20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. a. I would expect this to be such a infrequent thing that pingng the local site admins to do the work to add the person to the admin group shouldn't be all that burdensome. It shouldn't be something being done by the DA's for example. This is way below what most DAs in even medium sized orgs should be worrying about. b. Yep why not... Someone just needs to sit down and write it. Maybe someone will do it for free but more likely it will require someone believing there is some money to be had. This is a heavy duty scaleable app for anything but a small company. c. Revoking them but allowing them to have admin some times is self defeating, seriously. You give me admin for a little bit, it is likely I will have it forever after whether you want me to or not. Once you lock a machine down, you can't give that access back or else you have to do a complete audit (but better yet a complete rebuild) to get faith in that machine again. If you lock a machine down in the first place, it is assumed there is a good reason for it, not just because... -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm ________________________________ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro Sent: Tuesday, December 02, 2008 9:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. A. No, it's not common. But it may happen the business requires some users to be empowered with Admin privileges at any time so after a machine has been built and assigned to the user. B. Read other email. If there are tools for resource permission central management, why not Local Admins? Of course managing laptop and desktop because they might be off-line could be something challenging (that's why a GPO would be great!) C. Temp Admin is stupid, period. But it's a "compromise" with the user community when you come from "everybody's admin" situation and you start to revoke admin privs to all users ("Hey Joe, I will revoke your privs... BUT I will re-enable you with temp admin privs if you need them!" . Also there are cases that working as a non-admin in Windows XP is problematic (es: mobile users when they are out of the company and need to install a printer driver). Thanks - Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: lunedì 1 dicembre 2008 21.35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. A. I wouldn't call this the normal running situation. If you didn't give admin rights up front, you probably shouldn't be wanting to do it later. If it is a case of we deployed all these and we meant to do it but didn't, then I see that as a one off scriptable event. Anyone you give admin rights to should be someone you wouldn't be terribly worried about giving admin rights to permanently. You give me admin rights to a machine for a little bit, I can very likely make it permanent whether you want that or not. B. Yeah this would be nice. I actually visualized something that leveraged ADAM to do this but had a couple of problems with it... The first being that ADAM probably won't scale to allow for tens or hundreds of thousands of replicas and the second being that MSFT was silly and made it so ADAM can no longer be loaded on clients; only servers. OpenLDAP may be the answer here. C. Now this is a whole other thing from what I believe the original issue was. But again, I don't really fully believe in temp admin privs over machines. How do you stop someone from giving themselves the rights permanently? Now this works great for things like say access to mailboxes where you can turn on and off the right easily and getting the right doesn't give permission to side step the security mechanism. Making someone an admin on a machine is giving them the biggest gun they can have for that machine. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro Sent: Monday, December 01, 2008 2:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. Yes, but... a) What about users you need "to privilege" after the machine has been built and released to the them? b) How to have a global view of who is an administrator of what machine? c) How to assign temp admin privileges when start-up scripts are not a viable solution? (say road warriors that establish 3rd party VPN connection after they loggend onto their systems with cached credentials? This sounds challenging indeed...). Thanks - Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: lunedì 1 dicembre 2008 18.17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. I agree, this is something that is done at build time by the machine builder when setting up the machine for the user in question, then it isn't an administrative burden; it is simply part of the build process. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick Sent: Monday, December 01, 2008 11:42 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. If putting a group into the local administrators group, by definition you want to grant access to a large number of users to a large number of machines. If you only want the one user to be added to the local admins group, a script that is used at build time is most likely the least effort you can expend and still achieve your goal. Just adding them at build time works too. Am I missing something in your requirements? On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net<mailto:gabro@gabro.net>> wrote: I think it's a long debated story, but what's the best practice/approach/tool to empower certain users (such as swdevs) to be admins of their own machines? Manually putting a user into the local administrators group is a burden (also startup scripts does not work in many conditions), also creating an AD security group that is member of local Administrators group of certain computers and add users to that AD group is manageable but an "admin user" is granted admin privilege to all those certain machines. Thanks - Gabriele. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx

listmail

Posts:763

12/04/2008 12:18 PM
Nothing is free. Besides what I already mentioned any queries for groups that aren't properly scoped in would likely have to fish through all of those groups as well on any objectcategory=group query. Likely most if not all group queries then since most people throw generic queries with whole domain or forest scope and see what sticks... And it is personal opinion, just not sure if that is the right store for that info. I could also visualize someone nesting SuperAdmin group into all of these local machine groups and then placing the global helpdesk admins into that group and then wondering why those people are blowing up when trying to access anything. -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm _____ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond Sent: Thursday, December 04, 2008 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. Why not? Groups are more or less free. Thanks, Brian Desmond brian@briandesmond.com c - 312.731.3132 From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: Thursday, December 04, 2008 2:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. Yeah, that makes me ask again, how many machines in your forest are you managing this way? If more than a few hundred I think I would recommend spinning up ADAM, keeping the groups in ADAM and then having a script service or scheduled task that runs on the workstations and adds the membership via what it sees in ADAM. I wouldn't likely want to create all those security groups in AD but I would have to think about it. I just visualize replicating a couple hundred thousand groups to my South American WAN sites that are applicable to just a single machine each... joe -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm _____ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield Sent: Wednesday, December 03, 2008 7:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. Close, but we aren't using restricted admin setting in GPO. That would grant everyone access to everyone's machine, defeating the purpose of selected access. We have 1 domain local group per machine in AD, then add this group to the local machine. When we grant user access, we add them to the appropriate domain local group that is on the local machines administrators group. Hope you follow that... Here is an example, a group named 'ADM-Webserver1' (Domain Local Group) which is part of the local administrators group on WebServer1. When a person needs access to WebServer1, we add them to ADM-WebServer1. This should be easily scriptable. I'm no super AD guru like Joe or Brian, but what we did achieved our goals. Thank you, Steve Schofield Windows Server MVP - IIS <http://weblogs.asp.net/steveschofield> http://weblogs.asp.net/steveschofield <http://www.IISLogs.com> http://www.IISLogs.com Log archival solution Install, Configure, Forget ----- Original Message ----- From: Gabriele Scolaro <mailto:gabro@gabro.net> To: ActiveDir@mail.activedir.org Sent: Wednesday, December 03, 2008 6:04 PM Subject: RE: [ActiveDir] How to manage users into machine local admins group. Steve, if I understood well, thats what we are actually doing by using Restricted Groups GPO: a domain group is added to the local Administrators group of some machines and then we add users to the domain group. The problem is that each admin-user is granted with admin privilege on all those machines and not on his/her machine only. Thanks Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield Sent: mercoledì 3 dicembre 2008 23.55 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. I just went through this. I created a powershell script that handles most of this centrally on a single DC. My longer goal is to make a single script that does A) Creates domain group (i have this done) B) Adds to the local machines Administrators group (I have this done) C) Adds the 'domain' user to the domain group so they have access (to-do) D) Additional scripts to update / remove / replace users in the group. (to-do) Powershell makes this pretty easy. From your description, you are thinking through your requirementrs, but nothing on the market that does what you want. We chose the 'domain' group added to the local machine centralizes administration to a single DC. If you have a separate forest which the user accounts, the 'groups' in the resource domain 'Domain local' so I could add from our 'user' domain. Hope that makes sense. Thank you, Steve Schofield Windows Server MVP - IIS <http://weblogs.asp.net/steveschofield> http://weblogs.asp.net/steveschofield <http://www.IISLogs.com> http://www.IISLogs.com Log archival solution Install, Configure, Forget ----- Original Message ----- From: Gabriele Scolaro <mailto:gabro@gabro.net> To: ActiveDir@mail.activedir.org Sent: Wednesday, December 03, 2008 5:26 PM Subject: RE: [ActiveDir] How to manage users into machine local admins group. a. Youre right, it sparingly happens but unfortunately it happens and regional admins are actually doing that manually, but what makes me nervous is the lack of global visibility of users being admins of their workstations. I cant rely on a manually handled list. b. Sob.. I see that app does not exist c. Fully agree, of course. But the choice here is (a) give permanent admin privs or (b) just allow a legitimate priv escalation if/when required by the user. I prefer the second because it might never happen or if it happens the user has to open a ticket, give justifications and that temp-admin assigned priv is tracked, if then the user makes her/himself privileged for ever then its the user who is breaking the rules/policies Thanks Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: mercoledì 3 dicembre 2008 7.20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. a. I would expect this to be such a infrequent thing that pingng the local site admins to do the work to add the person to the admin group shouldn't be all that burdensome. It shouldn't be something being done by the DA's for example. This is way below what most DAs in even medium sized orgs should be worrying about. b. Yep why not... Someone just needs to sit down and write it. Maybe someone will do it for free but more likely it will require someone believing there is some money to be had. This is a heavy duty scaleable app for anything but a small company. c. Revoking them but allowing them to have admin some times is self defeating, seriously. You give me admin for a little bit, it is likely I will have it forever after whether you want me to or not. Once you lock a machine down, you can't give that access back or else you have to do a complete audit (but better yet a complete rebuild) to get faith in that machine again. If you lock a machine down in the first place, it is assumed there is a good reason for it, not just because... -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm _____ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro Sent: Tuesday, December 02, 2008 9:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. A. No, its not common. But it may happen the business requires some users to be empowered with Admin privileges L at any time so after a machine has been built and assigned to the user. B. Read other email. If there are tools for resource permission central management, why not Local Admins? J Of course managing laptop and desktop because they might be off-line could be something challenging (thats why a GPO would be great!) C. Temp Admin is stupid, period. But its a compromise with the user community when you come from everybodys admin situation and you start to revoke admin privs to all users (Hey Joe, I will revoke your privs BUT I will re-enable you with temp admin privs if you need them! J. Also there are cases that working as a non-admin in Windows XP is problematic (es: mobile users when they are out of the company and need to install a printer driver). Thanks Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: lunedì 1 dicembre 2008 21.35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. A. I wouldn't call this the normal running situation. If you didn't give admin rights up front, you probably shouldn't be wanting to do it later. If it is a case of we deployed all these and we meant to do it but didn't, then I see that as a one off scriptable event. Anyone you give admin rights to should be someone you wouldn't be terribly worried about giving admin rights to permanently. You give me admin rights to a machine for a little bit, I can very likely make it permanent whether you want that or not. B. Yeah this would be nice. I actually visualized something that leveraged ADAM to do this but had a couple of problems with it... The first being that ADAM probably won't scale to allow for tens or hundreds of thousands of replicas and the second being that MSFT was silly and made it so ADAM can no longer be loaded on clients; only servers. OpenLDAP may be the answer here. C. Now this is a whole other thing from what I believe the original issue was. But again, I don't really fully believe in temp admin privs over machines. How do you stop someone from giving themselves the rights permanently? Now this works great for things like say access to mailboxes where you can turn on and off the right easily and getting the right doesn't give permission to side step the security mechanism. Making someone an admin on a machine is giving them the biggest gun they can have for that machine. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _____ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro Sent: Monday, December 01, 2008 2:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. Yes, but... a) What about users you need to privilege after the machine has been built and released to the them? b) How to have a global view of who is an administrator of what machine? c) How to assign temp admin privileges when start-up scripts are not a viable solution? (say road warriors that establish 3rd party VPN connection after they loggend onto their systems with cached credentials? This sounds challenging indeed). Thanks Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: lunedì 1 dicembre 2008 18.17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. I agree, this is something that is done at build time by the machine builder when setting up the machine for the user in question, then it isn't an administrative burden; it is simply part of the build process. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _____ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick Sent: Monday, December 01, 2008 11:42 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. If putting a group into the local administrators group, by definition you want to grant access to a large number of users to a large number of machines. If you only want the one user to be added to the local admins group, a script that is used at build time is most likely the least effort you can expend and still achieve your goal. Just adding them at build time works too. Am I missing something in your requirements? On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote: I think it's a long debated story, but what's the best practice/approach/tool to empower certain users (such as swdevs) to be admins of their own machines? Manually putting a user into the local administrators group is a burden (also startup scripts does not work in many conditions), also creating an AD security group that is member of local Administrators group of certain computers and add users to that AD group is manageable but an "admin user" is granted admin privilege to all those certain machines. Thanks - Gabriele. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx

sslists

Posts:44

12/04/2008 6:00 PM
It's a single forest with about 100 - 200 boxes. It's a dev environment. No multiple site, hardly any user accounts, mostly admin types. The users live in another domain and are part of the domain local group in the forest which has the boxes. It keeps user admin to a single point. Sorry for the scare. Steve ----- Original Message ----- From: joe To: ActiveDir@mail.activedir.org Sent: Thursday, December 04, 2008 12:13 PM Subject: RE: [ActiveDir] How to manage users into machine local admins group. Nothing is free. Besides what I already mentioned any queries for groups that aren't properly scoped in would likely have to fish through all of those groups as well on any objectcategory=group query. Likely most if not all group queries then since most people throw generic queries with whole domain or forest scope and see what sticks... And it is personal opinion, just not sure if that is the right store for that info. I could also visualize someone nesting SuperAdmin group into all of these local machine groups and then placing the global helpdesk admins into that group and then wondering why those people are blowing up when trying to access anything. -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm ------------------------------------------------------------------------------ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond Sent: Thursday, December 04, 2008 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. Why not? Groups are more or less free. Thanks, Brian Desmond brian@briandesmond.com c - 312.731.3132 From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: Thursday, December 04, 2008 2:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. Yeah, that makes me ask again, how many machines in your forest are you managing this way? If more than a few hundred I think I would recommend spinning up ADAM, keeping the groups in ADAM and then having a script service or scheduled task that runs on the workstations and adds the membership via what it sees in ADAM. I wouldn't likely want to create all those security groups in AD but I would have to think about it. I just visualize replicating a couple hundred thousand groups to my South American WAN sites that are applicable to just a single machine each... joe -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm ------------------------------------------------------------------------------ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield Sent: Wednesday, December 03, 2008 7:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. Close, but we aren't using restricted admin setting in GPO. That would grant everyone access to everyone's machine, defeating the purpose of selected access. We have 1 domain local group per machine in AD, then add this group to the local machine. When we grant user access, we add them to the appropriate domain local group that is on the local machines administrators group. Hope you follow that... Here is an example, a group named 'ADM-Webserver1' (Domain Local Group) which is part of the local administrators group on WebServer1. When a person needs access to WebServer1, we add them to ADM-WebServer1. This should be easily scriptable. I'm no super AD guru like Joe or Brian, but what we did achieved our goals. Thank you, Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget ----- Original Message ----- From: Gabriele Scolaro To: ActiveDir@mail.activedir.org Sent: Wednesday, December 03, 2008 6:04 PM Subject: RE: [ActiveDir] How to manage users into machine local admins group. Steve, if I understood well, that's what we are actually doing by using Restricted Groups GPO: a domain group is added to the local Administrators group of some machines and then we add users to the domain group. The problem is that each admin-user is granted with admin privilege on all those machines and not on his/her machine only. Thanks - Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield Sent: mercoledì 3 dicembre 2008 23.55 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. I just went through this. I created a powershell script that handles most of this centrally on a single DC. My longer goal is to make a single script that does A) Creates domain group (i have this done) B) Adds to the local machines Administrators group (I have this done) C) Adds the 'domain' user to the domain group so they have access (to-do) D) Additional scripts to update / remove / replace users in the group. (to-do) Powershell makes this pretty easy. From your description, you are thinking through your requirementrs, but nothing on the market that does what you want. We chose the 'domain' group added to the local machine centralizes administration to a single DC. If you have a separate forest which the user accounts, the 'groups' in the resource domain 'Domain local' so I could add from our 'user' domain. Hope that makes sense. Thank you, Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget ----- Original Message ----- From: Gabriele Scolaro To: ActiveDir@mail.activedir.org Sent: Wednesday, December 03, 2008 5:26 PM Subject: RE: [ActiveDir] How to manage users into machine local admins group. a. You're right, it sparingly happens. but unfortunately it happens and regional admins are actually doing that manually, but what makes me nervous is the lack of global visibility of users being admins of their workstations. I can't rely on a manually handled list.. b. Sob.. I see that app does not exist. c. Fully agree, of course. But the choice here is (a) give permanent admin privs or (b) just allow a legitimate priv escalation if/when required by the user. I prefer the second because it might never happen or if it happens the user has to open a ticket, give justifications and that temp-admin assigned priv is tracked, if then the user makes her/himself privileged for ever then it's the user who is breaking the rules/policies Thanks - Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: mercoledì 3 dicembre 2008 7.20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. a. I would expect this to be such a infrequent thing that pingng the local site admins to do the work to add the person to the admin group shouldn't be all that burdensome. It shouldn't be something being done by the DA's for example. This is way below what most DAs in even medium sized orgs should be worrying about. b. Yep why not... Someone just needs to sit down and write it. Maybe someone will do it for free but more likely it will require someone believing there is some money to be had. This is a heavy duty scaleable app for anything but a small company. c. Revoking them but allowing them to have admin some times is self defeating, seriously. You give me admin for a little bit, it is likely I will have it forever after whether you want me to or not. Once you lock a machine down, you can't give that access back or else you have to do a complete audit (but better yet a complete rebuild) to get faith in that machine again. If you lock a machine down in the first place, it is assumed there is a good reason for it, not just because... -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm -------------------------------------------------------------------------- From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro Sent: Tuesday, December 02, 2008 9:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. A. No, it's not common. But it may happen the business requires some users to be empowered with Admin privileges L at any time so after a machine has been built and assigned to the user. B. Read other email. If there are tools for resource permission central management, why not Local Admins? J Of course managing laptop and desktop because they might be off-line could be something challenging (that's why a GPO would be great!) C. Temp Admin is stupid, period. But it's a "compromise" with the user community when you come from "everybody's admin" situation and you start to revoke admin privs to all users ("Hey Joe, I will revoke your privs. BUT I will re-enable you with temp admin privs if you need them!" J. Also there are cases that working as a non-admin in Windows XP is problematic (es: mobile users when they are out of the company and need to install a printer driver). Thanks - Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: lunedì 1 dicembre 2008 21.35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. A. I wouldn't call this the normal running situation. If you didn't give admin rights up front, you probably shouldn't be wanting to do it later. If it is a case of we deployed all these and we meant to do it but didn't, then I see that as a one off scriptable event. Anyone you give admin rights to should be someone you wouldn't be terribly worried about giving admin rights to permanently. You give me admin rights to a machine for a little bit, I can very likely make it permanent whether you want that or not. B. Yeah this would be nice. I actually visualized something that leveraged ADAM to do this but had a couple of problems with it... The first being that ADAM probably won't scale to allow for tens or hundreds of thousands of replicas and the second being that MSFT was silly and made it so ADAM can no longer be loaded on clients; only servers. OpenLDAP may be the answer here. C. Now this is a whole other thing from what I believe the original issue was. But again, I don't really fully believe in temp admin privs over machines. How do you stop someone from giving themselves the rights permanently? Now this works great for things like say access to mailboxes where you can turn on and off the right easily and getting the right doesn't give permission to side step the security mechanism. Making someone an admin on a machine is giving them the biggest gun they can have for that machine. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -------------------------------------------------------------------------- From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro Sent: Monday, December 01, 2008 2:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. Yes, but... a) What about users you need "to privilege" after the machine has been built and released to the them? b) How to have a global view of who is an administrator of what machine? c) How to assign temp admin privileges when start-up scripts are not a viable solution? (say road warriors that establish 3rd party VPN connection after they loggend onto their systems with cached credentials? This sounds challenging indeed.). Thanks - Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: lunedì 1 dicembre 2008 18.17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. I agree, this is something that is done at build time by the machine builder when setting up the machine for the user in question, then it isn't an administrative burden; it is simply part of the build process. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -------------------------------------------------------------------------- From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick Sent: Monday, December 01, 2008 11:42 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. If putting a group into the local administrators group, by definition you want to grant access to a large number of users to a large number of machines. If you only want the one user to be added to the local admins group, a script that is used at build time is most likely the least effort you can expend and still achieve your goal. Just adding them at build time works too. Am I missing something in your requirements? On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote: I think it's a long debated story, but what's the best practice/approach/tool to empower certain users (such as swdevs) to be admins of their own machines? Manually putting a user into the local administrators group is a burden (also startup scripts does not work in many conditions), also creating an AD security group that is member of local Administrators group of certain computers and add users to that AD group is manageable but an "admin user" is granted admin privilege to all those certain machines. Thanks - Gabriele. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx

danholme

Posts:164

12/04/2008 7:38 PM
I'm still confused as to why the new GP Preferences group management capability won't suffice...? Dan Dan Holme Director of Training & Consulting Intelliem * www.intelliem.com dan.holme@intelliem.com From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield Sent: Thursday, December 04, 2008 12:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. It's a single forest with about 100 - 200 boxes. It's a dev environment. No multiple site, hardly any user accounts, mostly admin types. The users live in another domain and are part of the domain local group in the forest which has the boxes. It keeps user admin to a single point. Sorry for the scare. Steve ----- Original Message ----- From: joe<mailto:listmail@joeware.net> To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org> Sent: Thursday, December 04, 2008 12:13 PM Subject: RE: [ActiveDir] How to manage users into machine local admins group. Nothing is free. Besides what I already mentioned any queries for groups that aren't properly scoped in would likely have to fish through all of those groups as well on any objectcategory=group query. Likely most if not all group queries then since most people throw generic queries with whole domain or forest scope and see what sticks... And it is personal opinion, just not sure if that is the right store for that info. I could also visualize someone nesting SuperAdmin group into all of these local machine groups and then placing the global helpdesk admins into that group and then wondering why those people are blowing up when trying to access anything. -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm ________________________________ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond Sent: Thursday, December 04, 2008 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. Why not? Groups are more or less free. Thanks, Brian Desmond brian@briandesmond.com c - 312.731.3132 From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: Thursday, December 04, 2008 2:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. Yeah, that makes me ask again, how many machines in your forest are you managing this way? If more than a few hundred I think I would recommend spinning up ADAM, keeping the groups in ADAM and then having a script service or scheduled task that runs on the workstations and adds the membership via what it sees in ADAM. I wouldn't likely want to create all those security groups in AD but I would have to think about it. I just visualize replicating a couple hundred thousand groups to my South American WAN sites that are applicable to just a single machine each... joe -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm ________________________________ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield Sent: Wednesday, December 03, 2008 7:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. Close, but we aren't using restricted admin setting in GPO. That would grant everyone access to everyone's machine, defeating the purpose of selected access. We have 1 domain local group per machine in AD, then add this group to the local machine. When we grant user access, we add them to the appropriate domain local group that is on the local machines administrators group. Hope you follow that... Here is an example, a group named 'ADM-Webserver1' (Domain Local Group) which is part of the local administrators group on WebServer1. When a person needs access to WebServer1, we add them to ADM-WebServer1. This should be easily scriptable. I'm no super AD guru like Joe or Brian, but what we did achieved our goals. Thank you, Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget ----- Original Message ----- From: Gabriele Scolaro<mailto:gabro@gabro.net> To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org> Sent: Wednesday, December 03, 2008 6:04 PM Subject: RE: [ActiveDir] How to manage users into machine local admins group. Steve, if I understood well, that's what we are actually doing by using Restricted Groups GPO: a domain group is added to the local Administrators group of some machines and then we add users to the domain group. The problem is that each admin-user is granted with admin privilege on all those machines and not on his/her machine only. Thanks - Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield Sent: mercoledì 3 dicembre 2008 23.55 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. I just went through this. I created a powershell script that handles most of this centrally on a single DC. My longer goal is to make a single script that does A) Creates domain group (i have this done) B) Adds to the local machines Administrators group (I have this done) C) Adds the 'domain' user to the domain group so they have access (to-do) D) Additional scripts to update / remove / replace users in the group. (to-do) Powershell makes this pretty easy. From your description, you are thinking through your requirementrs, but nothing on the market that does what you want. We chose the 'domain' group added to the local machine centralizes administration to a single DC. If you have a separate forest which the user accounts, the 'groups' in the resource domain 'Domain local' so I could add from our 'user' domain. Hope that makes sense. Thank you, Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget ----- Original Message ----- From: Gabriele Scolaro<mailto:gabro@gabro.net> To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org> Sent: Wednesday, December 03, 2008 5:26 PM Subject: RE: [ActiveDir] How to manage users into machine local admins group. a. You're right, it sparingly happens... but unfortunately it happens and regional admins are actually doing that manually, but what makes me nervous is the lack of global visibility of users being admins of their workstations. I can't rely on a manually handled list.... b. Sob.. I see that app does not exist... c. Fully agree, of course. But the choice here is (a) give permanent admin privs or (b) just allow a legitimate priv escalation if/when required by the user. I prefer the second because it might never happen or if it happens the user has to open a ticket, give justifications and that temp-admin assigned priv is tracked, if then the user makes her/himself privileged for ever then it's the user who is breaking the rules/policies Thanks - Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: mercoledì 3 dicembre 2008 7.20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. a. I would expect this to be such a infrequent thing that pingng the local site admins to do the work to add the person to the admin group shouldn't be all that burdensome. It shouldn't be something being done by the DA's for example. This is way below what most DAs in even medium sized orgs should be worrying about. b. Yep why not... Someone just needs to sit down and write it. Maybe someone will do it for free but more likely it will require someone believing there is some money to be had. This is a heavy duty scaleable app for anything but a small company. c. Revoking them but allowing them to have admin some times is self defeating, seriously. You give me admin for a little bit, it is likely I will have it forever after whether you want me to or not. Once you lock a machine down, you can't give that access back or else you have to do a complete audit (but better yet a complete rebuild) to get faith in that machine again. If you lock a machine down in the first place, it is assumed there is a good reason for it, not just because... -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm ________________________________ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro Sent: Tuesday, December 02, 2008 9:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. A. No, it's not common. But it may happen the business requires some users to be empowered with Admin privileges at any time so after a machine has been built and assigned to the user. B. Read other email. If there are tools for resource permission central management, why not Local Admins? Of course managing laptop and desktop because they might be off-line could be something challenging (that's why a GPO would be great!) C. Temp Admin is stupid, period. But it's a "compromise" with the user community when you come from "everybody's admin" situation and you start to revoke admin privs to all users ("Hey Joe, I will revoke your privs... BUT I will re-enable you with temp admin privs if you need them!" . Also there are cases that working as a non-admin in Windows XP is problematic (es: mobile users when they are out of the company and need to install a printer driver). Thanks - Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: lunedì 1 dicembre 2008 21.35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. A. I wouldn't call this the normal running situation. If you didn't give admin rights up front, you probably shouldn't be wanting to do it later. If it is a case of we deployed all these and we meant to do it but didn't, then I see that as a one off scriptable event. Anyone you give admin rights to should be someone you wouldn't be terribly worried about giving admin rights to permanently. You give me admin rights to a machine for a little bit, I can very likely make it permanent whether you want that or not. B. Yeah this would be nice. I actually visualized something that leveraged ADAM to do this but had a couple of problems with it... The first being that ADAM probably won't scale to allow for tens or hundreds of thousands of replicas and the second being that MSFT was silly and made it so ADAM can no longer be loaded on clients; only servers. OpenLDAP may be the answer here. C. Now this is a whole other thing from what I believe the original issue was. But again, I don't really fully believe in temp admin privs over machines. How do you stop someone from giving themselves the rights permanently? Now this works great for things like say access to mailboxes where you can turn on and off the right easily and getting the right doesn't give permission to side step the security mechanism. Making someone an admin on a machine is giving them the biggest gun they can have for that machine. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro Sent: Monday, December 01, 2008 2:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. Yes, but... a) What about users you need "to privilege" after the machine has been built and released to the them? b) How to have a global view of who is an administrator of what machine? c) How to assign temp admin privileges when start-up scripts are not a viable solution? (say road warriors that establish 3rd party VPN connection after they loggend onto their systems with cached credentials? This sounds challenging indeed...). Thanks - Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: lunedì 1 dicembre 2008 18.17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. I agree, this is something that is done at build time by the machine builder when setting up the machine for the user in question, then it isn't an administrative burden; it is simply part of the build process. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick Sent: Monday, December 01, 2008 11:42 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. If putting a group into the local administrators group, by definition you want to grant access to a large number of users to a large number of machines. If you only want the one user to be added to the local admins group, a script that is used at build time is most likely the least effort you can expend and still achieve your goal. Just adding them at build time works too. Am I missing something in your requirements? On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net<mailto:gabro@gabro.net>> wrote: I think it's a long debated story, but what's the best practice/approach/tool to empower certain users (such as swdevs) to be admins of their own machines? Manually putting a user into the local administrators group is a burden (also startup scripts does not work in many conditions), also creating an AD security group that is member of local Administrators group of certain computers and add users to that AD group is manageable but an "admin user" is granted admin privilege to all those certain machines. Thanks - Gabriele. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx

darren

Posts:329

danholme

Posts:164

darren

Posts:329

danholme

Posts:164

dkkazak

Posts:12

darren

Posts:329

danholme

Posts:164

gabriel/tfi User is Offline

Posts:381

12/05/2008 2:30 PM
Youre right, nice product but would not fully meet my requirements (I dont think swdevs would accept only their compiler to be elevated!). Just a question, do you know if Vista allows non-admins to install local printers? Thanks Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia Sent: giovedì 4 dicembre 2008 3.38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. It doesnt directly address your issue but it does solve certain classes of problems. If your goal is to get to Least Privilege Use on your desktops, then you know that its extremely hard to do that if you have any decent size number of apps and different types of users. What Privilege Manager does is essentially let you elevate applications and processes on a per-app/process basis. So you run your users as normal user and then you deploy rules as to which apps get elevated, using Group Policy. The Privilege Manager client essentially reads those rules, and when a user runs an elevated app, the token that that app runs in gets an administrative token added to it, just as if it were being run by an administrator, but instead only that app runs as admin. I think its an excellent product and solves some key problems, but Im not sure that is exactly what you were trying to solve here? Darren **** Darren Mar-Elia CTO & Founder SDM Software, Inc. "The Group Policy Experts" www.sdmsoftware.com <http://www.sdmsoftware.com/> Spot and report on GPO inconsistencies quickly with GPO Compare http://www.sdmsoftware.com/group_policy_compare From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro Sent: Wednesday, December 03, 2008 6:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. Its a GPO extension that sounds really nice! Have you ever personally used it? Thanks Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley, CPA Sent: giovedì 4 dicembre 2008 2.21 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. BeyondTrust \| Privilege Manager: http://www.beyondtrust.com/products/PrivilegeManager.aspx Would that help in any way? Gabriele Scolaro wrote: Youre right, it sparingly happens but unfortunately it happens and regional admins are actually doing that manually, but what makes me nervous is the lack of global visibility of users being admins of their workstations. I cant rely on a manually handled list. Sob.. I see that app does not exist Fully agree, of course. But the choice here is (a) give permanent admin privs or (b) just allow a legitimate priv escalation if/when required by the user. I prefer the second because it might never happen or if it happens the user has to open a ticket, give justifications and that temp-admin assigned priv is tracked, if then the user makes her/himself privileged for ever then its the user who is breaking the rules/policies Thanks Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: mercoledì 3 dicembre 2008 7.20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. a. I would expect this to be such a infrequent thing that pingng the local site admins to do the work to add the person to the admin group shouldn't be all that burdensome. It shouldn't be something being done by the DA's for example. This is way below what most DAs in even medium sized orgs should be worrying about. b. Yep why not... Someone just needs to sit down and write it. Maybe someone will do it for free but more likely it will require someone believing there is some money to be had. This is a heavy duty scaleable app for anything but a small company. c. Revoking them but allowing them to have admin some times is self defeating, seriously. You give me admin for a little bit, it is likely I will have it forever after whether you want me to or not. Once you lock a machine down, you can't give that access back or else you have to do a complete audit (but better yet a complete rebuild) to get faith in that machine again. If you lock a machine down in the first place, it is assumed there is a good reason for it, not just because... -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm _____ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro Sent: Tuesday, December 02, 2008 9:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. A. No, its not common. But it may happen the business requires some users to be empowered with Admin privileges L at any time so after a machine has been built and assigned to the user. B. Read other email. If there are tools for resource permission central management, why not Local Admins? J Of course managing laptop and desktop because they might be off-line could be something challenging (thats why a GPO would be great!) C. Temp Admin is stupid, period. But its a compromise with the user community when you come from everybodys admin situation and you start to revoke admin privs to all users (Hey Joe, I will revoke your privs BUT I will re-enable you with temp admin privs if you need them! J. Also there are cases that working as a non-admin in Windows XP is problematic (es: mobile users when they are out of the company and need to install a printer driver). Thanks Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: lunedì 1 dicembre 2008 21.35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. A. I wouldn't call this the normal running situation. If you didn't give admin rights up front, you probably shouldn't be wanting to do it later. If it is a case of we deployed all these and we meant to do it but didn't, then I see that as a one off scriptable event. Anyone you give admin rights to should be someone you wouldn't be terribly worried about giving admin rights to permanently. You give me admin rights to a machine for a little bit, I can very likely make it permanent whether you want that or not. B. Yeah this would be nice. I actually visualized something that leveraged ADAM to do this but had a couple of problems with it... The first being that ADAM probably won't scale to allow for tens or hundreds of thousands of replicas and the second being that MSFT was silly and made it so ADAM can no longer be loaded on clients; only servers. OpenLDAP may be the answer here. C. Now this is a whole other thing from what I believe the original issue was. But again, I don't really fully believe in temp admin privs over machines. How do you stop someone from giving themselves the rights permanently? Now this works great for things like say access to mailboxes where you can turn on and off the right easily and getting the right doesn't give permission to side step the security mechanism. Making someone an admin on a machine is giving them the biggest gun they can have for that machine. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _____ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro Sent: Monday, December 01, 2008 2:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. Yes, but... a) What about users you need to privilege after the machine has been built and released to the them? b) How to have a global view of who is an administrator of what machine? c) How to assign temp admin privileges when start-up scripts are not a viable solution? (say road warriors that establish 3rd party VPN connection after they loggend onto their systems with cached credentials? This sounds challenging indeed). Thanks Gabriele. From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe Sent: lunedì 1 dicembre 2008 18.17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to manage users into machine local admins group. I agree, this is something that is done at build time by the machine builder when setting up the machine for the user in question, then it isn't an administrative burden; it is simply part of the build process. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _____ From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick Sent: Monday, December 01, 2008 11:42 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. If putting a group into the local administrators group, by definition you want to grant access to a large number of users to a large number of machines. If you only want the one user to be added to the local admins group, a script that is used at build time is most likely the least effort you can expend and still achieve your goal. Just adding them at build time works too. Am I missing something in your requirements? On Mon, Dec 1, 2008 at 11:31 AM, <gabro@gabro.net> wrote: I think it's a long debated story, but what's the best practice/approach/tool to empower certain users (such as swdevs) to be admins of their own machines? Manually putting a user into the local administrators group is a burden (also startup scripts does not work in many conditions), also creating an AD security group that is member of local Administrators group of certain computers and add users to that AD group is manageable but an "admin user" is granted admin privilege to all those certain machines. Thanks - Gabriele. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx

gabriel/tfi User is Offline

Posts:381

gabriel/tfi User is Offline

Posts:381

sbradcpa

Posts:496

12/05/2008 3:25 PM
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> <a class="moz-txt-link-freetext" href="http://www.vistax64.com/vista-print-fax-scan/194638-allow-non-admin-install-unsigned-printer-driver.html">http://www.vistax64.com/vista-print-fax-scan/194638-allow-non-admin-install-unsigned-printer-driver.html</a> Signed or unsigned drivers? Windows 7 allows non admins to install patches. Gabriele Scolaro wrote: <blockquote cite="mid:00d801c9570f$5ab07710$10116530$@net" type="cite"> <meta http-equiv="Content-Type" content="text/html; "> <meta name="Generator" content="Microsoft Word 12 (filtered medium)"> <!--[if !mso]> <style> v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style> <![endif]--> <style> <!-- /* Font Definitions / @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0;} @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} / Style Definitions / p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman","serif"; color:black;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; margin-top:0cm; margin-right:0cm; margin-bottom:0cm; margin-left:36.0pt; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman","serif"; color:black;} span.EmailStyle18 {mso-style-type:personal; font-family:"Calibri","sans-serif"; color:#1F497D;} span.EmailStyle19 {mso-style-type:personal; font-family:"Calibri","sans-serif"; color:#1F497D;} span.EmailStyle20 {mso-style-type:personal; font-family:"Calibri","sans-serif"; color:#1F497D;} span.EmailStyle21 {mso-style-type:personal; font-family:"Calibri","sans-serif"; color:#1F497D;} span.EmailStyle22 {mso-style-type:personal; font-family:"Calibri","sans-serif"; color:#1F497D;} span.EmailStyle23 {mso-style-type:personal-reply; font-family:"Calibri","sans-serif"; color:#1F497D;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} @page Section1 {size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt;} div.Section1 {page:Section1;} --> </style><!--[if gte mso 9]><xml> <o:shapedefaults v:ext="edit" spidmax="1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext="edit"> <o:idmap v:ext="edit" data="1" /> </o:shapelayout></xml><![endif]--> <div class="Section1"> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">You’re right, nice product but would not fully meet my requirements (I don’t think swdevs would accept only their compiler to be “elevated”!).<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">Just a question, do you know if Vista allows non-admins to install local printers?<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">Thanks – Gabriele.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"><o:p> </o:p></span></p> <div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0cm 0cm 0cm 4pt;"> <div> <div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0cm 0cm;"> <p class="MsoNormal"><b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: windowtext;" lang="EN-US">From:</span></b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: windowtext;" lang="EN-US"> <a class="moz-txt-link-abbreviated" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a> [<a class="moz-txt-link-freetext" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>] <b>On Behalf Of </b>Darren Mar-Elia <b>Sent:</b> giovedì 4 dicembre 2008 3.38 <b>To:</b> <a class="moz-txt-link-abbreviated" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a> <b>Subject:</b> RE: [ActiveDir] How to manage users into machine local admins group.<o:p></o:p></span></p> </div> </div> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">It doesn’t directly address your issue but it does solve certain classes of problems. If your goal is to get to Least Privilege Use on your desktops, then you know that its extremely hard to do that if you have any decent size number of apps and different types of users. What Privilege Manager does is essentially let you elevate applications and processes on a per-app/process basis. So you run your users as normal user and then you deploy rules as to which apps get elevated, using Group Policy. The Privilege Manager client essentially reads those rules, and when a user runs an “elevated” app, the token that that app runs in gets an administrative token added to it, just as if it were being run by an administrator, but instead only that app runs as admin. <o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">I think its an excellent product and solves some key problems, but I’m not sure that is exactly what you were trying to solve here?<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">Darren<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">***<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">Darren Mar-Elia<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">CTO & Founder<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">SDM Software, Inc.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">"<i>The Group Policy Experts"<o:p></o:p></i></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"><a moz-do-not-send="true" href="http://www.sdmsoftware.com/">www.sdmsoftware.com</a><o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">Spot and report on GPO inconsistencies quickly with <b>GPO Compare</b> <a class="moz-txt-link-freetext" href="http://www.sdmsoftware.com/group_policy_compare">http://www.sdmsoftware.com/group_policy_compare</a><o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"><o:p> </o:p></span></p> <div> <div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0cm 0cm;"> <p class="MsoNormal"><b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: windowtext;" lang="EN-US">From:</span></b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: windowtext;" lang="EN-US"> <a class="moz-txt-link-abbreviated" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a> [<a class="moz-txt-link-freetext" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>] <b>On Behalf Of </b>Gabriele Scolaro <b>Sent:</b> Wednesday, December 03, 2008 6:02 PM <b>To:</b> <a class="moz-txt-link-abbreviated" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a> <b>Subject:</b> RE: [ActiveDir] How to manage users into machine local admins group.<o:p></o:p></span></p> </div> </div> <p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">It’s a GPO extension that sounds really nice!<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">Have you ever personally used it?<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"> Thanks – Gabriele.<o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"><o:p> </o:p></span></p> <div> <div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0cm 0cm;"> <p class="MsoNormal"><b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: windowtext;" lang="EN-US">From:</span></b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: windowtext;" lang="EN-US"> <a class="moz-txt-link-abbreviated" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a> [<a class="moz-txt-link-freetext" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>] <b>On Behalf Of </b>Susan Bradley, CPA <b>Sent:</b> giovedì 4 dicembre 2008 2.21 <b>To:</b> <a class="moz-txt-link-abbreviated" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a> <b>Subject:</b> Re: [ActiveDir] How to manage users into machine local admins group.<o:p></o:p></span></p> </div> </div> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">BeyondTrust \| Privilege Manager: <a moz-do-not-send="true" href="http://www.beyondtrust.com/products/PrivilegeManager.aspx">http://www.beyondtrust.com/products/PrivilegeManager.aspx</a> Would that help in any way? Gabriele Scolaro wrote: <o:p></o:p></p> <p class="MsoListParagraph" style="text-indent: -18pt;"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">You’re right, it sparingly happens… but unfortunately it happens and regional admins are actually doing that manually, but what makes me nervous is the lack of global visibility of users being admins of their workstations. I can’t rely on a manually handled list….</span><o:p></o:p></p> <p class="MsoListParagraph"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"> </span><o:p></o:p></p> <p class="MsoListParagraph" style="text-indent: -18pt;"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">Sob.. I see that app does not exist…</span><o:p></o:p></p> <p class="MsoListParagraph"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"> </span><o:p></o:p></p> <p class="MsoListParagraph" style="text-indent: -18pt;"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">Fully agree, of course. But the choice here is (a) give permanent admin privs or (b) just allow a legitimate priv escalation if/when required by the user. I prefer the second because it might never happen or if it happens the user has to open a ticket, give justifications and that temp-admin assigned priv is tracked, if then the user makes her/himself privileged for ever then it’s the user who is breaking the rules/policies</span><o:p></o:p></p> <p class="MsoListParagraph"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"> </span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">Thanks – Gabriele.</span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"> </span><o:p></o:p></p> <div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0cm 0cm 0cm 4pt;"> <div> <div style="border-style: solid none none; border-color: -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0cm 0cm;"> <p class="MsoNormal"><b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";" lang="EN-US">From:</span></b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";" lang="EN-US"> <a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a> [<a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>] <b>On Behalf Of </b>joe <b>Sent:</b> mercoledì 3 dicembre 2008 7.20 <b>To:</b> <a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a> <b>Subject:</b> RE: [ActiveDir] How to manage users into machine local admins group.</span><o:p></o:p></p> </div> </div> <p class="MsoNormal"> <o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">a. I would expect this to be such a infrequent thing that pingng the local site admins to do the work to add the person to the admin group shouldn't be all that burdensome. It shouldn't be something being done by the DA's for example. This is way below what most DAs in even medium sized orgs should be worrying about.</span><o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">b. Yep why not... Someone just needs to sit down and write it. Maybe someone will do it for free but more likely it will require someone believing there is some money to be had. This is a heavy duty scaleable app for anything but a small company. </span><o:p></o:p></p> <div> <p class="MsoNormal"> <o:p></o:p></p> </div> <div> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">c. Revoking them but allowing them to have admin some times is self defeating, seriously. You give me admin for a little bit, it is likely I will have it forever after whether you want me to or not. Once you lock a machine down, you can't give that access back or else you have to do a complete audit (but better yet a complete rebuild) to get faith in that machine again. If you lock a machine down in the first place, it is assumed there is a good reason for it, not just because...</span><o:p></o:p></p> </div> <div> <p class="MsoNormal"> <o:p></o:p></p> </div> <p class="MsoNormal"> <o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">--</span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">O'Reilly Active Directory Fourth Edition - <a moz-do-not-send="true" href="http://www.joeware.net/win/ad4e.htm" title="blocked::http://www.joeware.net/win/ad3e.htm">http://www.joeware.net/win/ad4e.htm</a> </span><o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p> <div> <p class="MsoNormal"> <o:p></o:p></p> </div> <p class="MsoNormal"> <o:p></o:p></p> <div class="MsoNormal" style="text-align: center;" align="center"><span lang="EN-US"> <hr align="center" size="2" width="100%"></span></div> <p class="MsoNormal" style="margin-bottom: 12pt;"><b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";" lang="EN-US">From:</span></b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";" lang="EN-US"> <a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a> [<a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>] <b>On Behalf Of </b>Gabriele Scolaro <b>Sent:</b> Tuesday, December 02, 2008 9:26 PM <b>To:</b> <a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a> <b>Subject:</b> RE: [ActiveDir] How to manage users into machine local admins group.</span><o:p></o:p></p> <p class="MsoListParagraph" style="text-indent: -18pt;"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">A.</span><span style="font-size: 7pt; color: rgb(31, 73, 125);" lang="EN-US"> </span><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">No, it’s not common. But it may happen the business requires some users to be empowered with Admin privileges </span><span style="font-size: 11pt; font-family: Wingdings; color: rgb(31, 73, 125);" lang="EN-US">L</span><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"> at any time so after a machine has been built and assigned to the user.</span><o:p></o:p></p> <p class="MsoListParagraph" style="text-indent: -18pt;"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">B.</span><span style="font-size: 7pt; color: rgb(31, 73, 125);" lang="EN-US"> </span><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">Read other email. If there are tools for resource permission central management, why not Local Admins? </span><span style="font-size: 11pt; font-family: Wingdings; color: rgb(31, 73, 125);" lang="EN-US">J</span><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"> Of course managing laptop and desktop because they might be off-line could be something challenging (that’s why a GPO would be great!)</span><o:p></o:p></p> <p class="MsoListParagraph" style="text-indent: -18pt;"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">C.</span><span style="font-size: 7pt; color: rgb(31, 73, 125);" lang="EN-US"> </span><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">Temp Admin is stupid, period. But it’s a “compromise” with the user community when you come from “everybody’s admin” situation and you start to revoke admin privs to all users (“Hey Joe, I will revoke your privs… BUT I will re-enable you with temp admin privs if you need them!” </span><span style="font-size: 11pt; font-family: Wingdings; color: rgb(31, 73, 125);" lang="EN-US">J</span><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">.</span><o:p></o:p></p> <p class="MsoListParagraph"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">Also there are cases that working as a non-admin in Windows XP is problematic (es: mobile users when they are out of the company and need to install a printer driver).</span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"> </span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">Thanks – Gabriele.</span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"> </span><o:p></o:p></p> <div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0cm 0cm 0cm 4pt;"> <div> <div style="border-style: solid none none; border-color: -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0cm 0cm;"> <p class="MsoNormal"><b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";" lang="EN-US">From:</span></b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";" lang="EN-US"> <a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a> [<a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>] <b>On Behalf Of </b>joe <b>Sent:</b> lunedì 1 dicembre 2008 21.35 <b>To:</b> <a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a> <b>Subject:</b> RE: [ActiveDir] How to manage users into machine local admins group.</span><o:p></o:p></p> </div> </div> <p class="MsoNormal"> <o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">A. I wouldn't call this the normal running situation. If you didn't give admin rights up front, you probably shouldn't be wanting to do it later. If it is a case of we deployed all these and we meant to do it but didn't, then I see that as a one off scriptable event. Anyone you give admin rights to should be someone you wouldn't be terribly worried about giving admin rights to permanently. You give me admin rights to a machine for a little bit, I can very likely make it permanent whether you want that or not. </span><o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">B. Yeah this would be nice. I actually visualized something that leveraged ADAM to do this but had a couple of problems with it... The first being that ADAM probably won't scale to allow for tens or hundreds of thousands of replicas and the second being that MSFT was silly and made it so ADAM can no longer be loaded on clients; only servers. OpenLDAP may be the answer here.</span><o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">C. Now this is a whole other thing from what I believe the original issue was. But again, I don't really fully believe in temp admin privs over machines. How do you stop someone from giving themselves the rights permanently? Now this works great for things like say access to mailboxes where you can turn on and off the right easily and getting the right doesn't give permission to side step the security mechanism. Making someone an admin on a machine is giving them the biggest gun they can have for that machine.</span><o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;"> joe</span><o:p></o:p></p> <div> <p class="MsoNormal"> <o:p></o:p></p> </div> <div> <p class="MsoNormal"> <o:p></o:p></p> </div> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">--</span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">O'Reilly Active Directory Third Edition - <a moz-do-not-send="true" href="http://www.joeware.net/win/ad3e.htm" title="blocked::http://www.joeware.net/win/ad3e.htm">http://www.joeware.net/win/ad3e.htm</a> </span><o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p> <div> <p class="MsoNormal"> <o:p></o:p></p> </div> <p class="MsoNormal"> <o:p></o:p></p> <div class="MsoNormal" style="text-align: center;" align="center"><span lang="EN-US"> <hr align="center" size="2" width="100%"></span></div> <p class="MsoNormal" style="margin-bottom: 12pt;"><b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";" lang="EN-US">From:</span></b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";" lang="EN-US"> <a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a> [<a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>] <b>On Behalf Of </b>Gabriele Scolaro <b>Sent:</b> Monday, December 01, 2008 2:54 PM <b>To:</b> <a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a> <b>Subject:</b> RE: [ActiveDir] How to manage users into machine local admins group.</span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Yes, but...</span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"> </span><o:p></o:p></p> <p class="MsoListParagraph" style="text-indent: -18pt;"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">a)</span><span style="font-size: 7pt; color: rgb(31, 73, 125);" lang="EN-US"> </span><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">What about users you need “to privilege” after the machine has been built and released to the them?</span><o:p></o:p></p> <p class="MsoListParagraph" style="text-indent: -18pt;"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">b)</span><span style="font-size: 7pt; color: rgb(31, 73, 125);" lang="EN-US"> </span><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">How to have a global view of who is an administrator of what machine?</span><o:p></o:p></p> <p class="MsoListParagraph" style="text-indent: -18pt;"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">c)</span><span style="font-size: 7pt; color: rgb(31, 73, 125);" lang="EN-US"> </span><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">How to assign temp admin privileges when start-up scripts are not a viable solution? (say road warriors that establish 3<sup>rd</sup> party VPN connection after they loggend onto their systems with cached credentials? This sounds challenging indeed…).</span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"> </span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US">Thanks – Gabriele.</span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);" lang="EN-US"> </span><o:p></o:p></p> <div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0cm 0cm 0cm 4pt;"> <div> <div style="border-style: solid none none; border-color: -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0cm 0cm;"> <p class="MsoNormal"><b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";" lang="EN-US">From:</span></b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";" lang="EN-US"> <a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a> [<a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>] <b>On Behalf Of </b>joe <b>Sent:</b> lunedì 1 dicembre 2008 18.17 <b>To:</b> <a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a> <b>Subject:</b> RE: [ActiveDir] How to manage users into machine local admins group.</span><o:p></o:p></p> </div> </div> <p class="MsoNormal"> <o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">I agree, this is something that is done at build time by the machine builder when setting up the machine for the user in question, then it isn't an administrative burden; it is simply part of the build process.</span><o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p> <div> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;"> joe</span><o:p></o:p></p> </div> <div> <p class="MsoNormal"> <o:p></o:p></p> </div> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">--</span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">O'Reilly Active Directory Third Edition - <a moz-do-not-send="true" href="http://www.joeware.net/win/ad3e.htm" title="blocked::http://www.joeware.net/win/ad3e.htm">http://www.joeware.net/win/ad3e.htm</a> </span><o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p> <div> <p class="MsoNormal"> <o:p></o:p></p> </div> <p class="MsoNormal"> <o:p></o:p></p> <div class="MsoNormal" style="text-align: center;" align="center"><span lang="EN-US"> <hr align="center" size="2" width="100%"></span></div> <p class="MsoNormal" style="margin-bottom: 12pt;"><b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";" lang="EN-US">From:</span></b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";" lang="EN-US"> <a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">ActiveDir-owner@mail.activedir.org</a> [<a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir-owner'+'@'+'mail'+'.activedir')".org">mailto:ActiveDir-owner@mail.activedir.org</a>] <b>On Behalf Of </b>Al Mulnick <b>Sent:</b> Monday, December 01, 2008 11:42 AM <b>To:</b> <a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a> <b>Subject:</b> Re: [ActiveDir] How to manage users into machine local admins group.</span><o:p></o:p></p> <div> <p class="MsoNormal">If putting a group into the local administrators group, by definition you want to grant access to a large number of users to a large number of machines. <o:p></o:p></p> </div> <div> <p class="MsoNormal">If you only want the one user to be added to the local admins group, a script that is used at build time is most likely the least effort you can expend and still achieve your goal. <o:p></o:p></p> </div> <div> <p class="MsoNormal"> <o:p></o:p></p> </div> <div> <p class="MsoNormal">Just adding them at build time works too. <o:p></o:p></p> </div> <div> <p class="MsoNormal"> <o:p></o:p></p> </div> <div> <p class="MsoNormal">Am I missing something in your requirements? <o:p></o:p></p> </div> <div> <p class="MsoNormal"> <o:p></o:p></p> </div> <div> <p class="MsoNormal">On Mon, Dec 1, 2008 at 11:31 AM, <<a moz-do-not-send="true" href="javascript:window.location.replace('ma'+'ilto:'+'gabro'+'@'+'gabro'+'.net')">gabro@gabro.net</a>> wrote:<o:p></o:p></p> <p class="MsoNormal">I think it's a long debated story, but what's the best practice/approach/tool to empower certain users (such as swdevs) to be admins of their own machines? Manually putting a user into the local administrators group is a burden (also startup scripts does not work in many conditions), also creating an AD security group that is member of local Administrators group of certain computers and add users to that AD group is manageable but an "admin user" is granted admin privilege to all those certain machines. Thanks - Gabriele. List info : <a moz-do-not-send="true" href="http://www.activedir.org/List.aspx" target="_blank">http://www.activedir.org/List.aspx</a> List FAQ : <a moz-do-not-send="true" href="http://www.activedir.org/ListFAQ.aspx" target="_blank">http://www.activedir.org/ListFAQ.aspx</a> List archive: <a moz-do-not-send="true" href="http://www.activedir.org/ma/default.aspx" target="_blank">http://www.activedir.org/ma/default.aspx</a><o:p></o:p></p> </div> <p class="MsoNormal"> <o:p></o:p></p> </div> </div> </div> <p class="MsoNormal"><span style="color: windowtext;">List info : <a class="moz-txt-link-freetext" href="http://www.activedir.org/List.aspx">http://www.activedir.org/List.aspx</a> List FAQ : <a class="moz-txt-link-freetext" href="http://www.activedir.org/ListFAQ.aspx">http://www.activedir.org/ListFAQ.aspx</a> List archive: <a class="moz-txt-link-freetext" href="http://www.activedir.org/ma/default.aspx">http://www.activedir.org/ma/default.aspx</a> <o:p></o:p></span></p> </div> </div> </blockquote> </body> </html> List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx

listmail

Posts:763

EZiots

Posts:55

12/16/2008 8:23 AM
You can GPO this to using restricted groups, and putting the machines into the correct OU structure, or you can use Security templates ( my favorite) to bake this in at the build time. Z Edward E. Ziots Network Engineer Lifespan Organization Email: eziots@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + -----Original Message----- From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Adam Thompson Sent: Monday, December 01, 2008 3:48 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to manage users into machine local admins group. 2008/12/1 joe <listmail@joeware.net>: > I agree, this is something that is done at build time by the machine builder > when setting up the machine for the user in question, then it isn't an > administrative burden; it is simply part of the build process. > > joe > Delegate! If workstations belong to a specific SW Dev team, add their AD group to the local admins group at build time. Or add a group for "SW Dev Team Managers". This may mean that people other than Joe Bloggs get admin privs, but it also means that if Tom, Dick or Sally need admin privs on that machine, they only need speak to somebody in that SW Dev Team, or a manager from their division. You're giving them the ability to decide who should be admin on their (the SW Dev team's) workstations, so make sure that you get them to sign off on taking the responsibility that comes with that power. You may want to run a (remotely executed) script to do something like: net localgroup administrators >> \\fileserver01\adminigroups$\%COMPUTERNAME%_%DATE%_Admin.txt - perhaps by using psexec.exe from sysinternals/Technet. So you can keep track of what's going on. This won't scale to thousands of computers. If you want to risk using locally scheduled task to report on this, you can try: =BEGIN admincheck.cmd REM First we'll delete the old file del c:\control\admins.old.txt REM now let's take the existing admin group dump and put it in the .old file move c:\control\admins.txt c:\control\admins.old.txt REM and then we take a look at what's in the local admins group now net localgroup administrators > c:\control\admins.txt REM now for the interesting part REM - we're going to compare what was in the admins group with what's in it now ECHO n\|COMP "c:\control\admins.txt" "C:\control\admins.old.txt" \| FIND "Files compare OK" > nul IF ERRORLEVEL 1 GOTO PROBLEM IF ERRORLEVEL 0 GOTO END ROBLEM REM uh-oh, somebody's been added to, or removed from the admins group - better tell somebody about this! blat - -log admincheck.log -to helpdesk@domain.test -server smtp.domain.test -f security@domain.test -subject "Security Alert! - admins changed on %computername%" -body "please review the attached files for differences in the membership of the local administrators group. If the workstation owner cannot be contacted, and no authorised change can be found, you MUST raise a ticket for this as a security breach." -embed c:\control\admins.old.txt -embed c:\control\admins.txt -q REM we could add other things in here, like using eventcreate.exe, or running some other code to generate a support ticket or maybe sending an SNMP trap. :END ECHO Admins checked at %time% on %date% >> admincheck.log REM nothing to see here, move along please Exit =END admincheck.cmd The above depends on: i) The users with admin privs not using them to disable/edit the script/sched task ii) The presence of blat.exe and an accessible SMTP server You would probably be better off finding out EXACTLY which permissions these devs need and creating a local group for SW-Devs with those permissions. Perhaps "Power User" + "Network Configuration" + "Remote Desktop Users" + "Debugger Users" + any other file/registry ACL hardening or softening + maybe the all-powerful load/unload driver priv + Logon as a service (if that's what the app they're developing does). -- AdamT "Surround yourself with the best people you can find, delegate authority, and don't interfere" - Ronald Reagan List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx

You are not authorized to post a reply.

Page 3 of 3

Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] How to manage users into machine local admins group.

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads