If your company is like most companies, you have users running as
local administrators on their desktop. There are solutions to eliminate
this need, which is a direction every company should make. When users
run as local administrators, the IT staff has no control over that user
or their desktop. In order for you to secure the local Administrators
group on every desktop, you need to have some powerful tools to get the
job done. There are typically three different tasks that you need to
perform to secure this group, which we will cover in this article.
Windows Server 2008 and Windows Vista SP1 (with the RSAT installed)
provide amazing new controls that make these configurations a breeze!
Task 1 - Remove Domain User Account
The initial task of securing the local Administrators group is to
ensure that the user no longer has membership in the group. This is
easier said than done, since most companies have configured the user’s
domain account to have membership in this group at installation of the
user’s computer.
Consider a scenario where you have resolved the issue of having
users running as local Administrator and now you need to remove the
domain user accounts from the local Administrators group on every
desktop in your environment. You only have 10,000 desktops, laptops,
and remote users, so you only have a small task ahead of you (yeah
right!).
If you create a script to perform this task, you are relying on the
user to logoff and back on for the script to run. Not likely to happen
on even half of the desktops, so you need another option.
As a perfect solution, you can use the Local Group – Group Policy
Preference to accomplish the task within about 90 minutes of you
implementing it. To get the job done, you simply need to edit a Group
Policy Object (GPO) and configure the following policy: User
Configuration\Preferences\Control Panel Settings\Local Users and
Groups\New\Local Group, which will open up the New Local Group
Properties dialog box, as shown in Figure 1.
Figure 1: Local Group GPP which allows you to control the membership of the local Administrators group
After you open up this property sheet, simply select the Remove the
current user radio button. This will affect all user accounts that are
in the scope of management of the GPO containing this setting. This
setting will apply during the next Group Policy background refresh,
which is under 90 minutes.
Task 2 - Add Domain Admins and Local Administrator
The next phase of your securing the local Administrators group is to
ensure that the Domain Admins global group and the local Administrator
account are both added to the local Administrators group in every
desktop.
Many have attempted this by using the Restricted Groups policy that
has been in Windows Active Directory Group Policy from the onset. The
problem with this solution is that the Restricted Groups policy is a
“delete and replace” policy, not an “append” policy. Thus, when you
configure a policy to perform this task, you will wipe out the contents
of the local Administrators group, replacing it with only these two
accounts.
By using the Local Users and Groups policy that was described in
Task 1, you can not only remove the current logged on user, but you can
add in the two key accounts that will ensure you have the correct
administrative privileges set on each desktop, as shown in Figure 2.
Figure 2: Appending the membership of the local Administrators group is easy
Task 3 - Remove Specific Accounts
The final stage of securing the local Administrators group is to
ensure that only the correct accounts have membership. In many cases,
there have been groups from the domain added to the local
Administrators group to perform a specific task, complete a project, or
perform maintenance. If these groups are no longer needed in the local
Administrators group, you can simply remove them with the new Local
Users and Groups policy.
In a similar fashion that you added the two accounts in task 2, you
can add accounts to the policy that need to be removed. To do this,
ensure that you select the “Remove from this group” option when you add
the account to the policy, as shown in Figure 3.
Figure 3: Removing a specific user or group from the local Administrators group is possible
Now, you have complete control over the membership of the local
Administrators group, even removing only the user and group accounts
that should not be included.
Obtaining the Tools and the Rules
I have mentioned over and over the use of the Group Policy
Preferences that come with Windows Server 2008 and Vista. In order for
you to take advantage of these settings, you only need to have ONE of
the following on your network:
- Windows Server 2008 Server
- Windows Vista SP1, with the Remote Server Administrative Toolset installed
Both of these operating systems come with the new and improved Group
Policy Management Console and Group Policy Management Editor.
The settings that are included in the new Group Policy Preferences can apply to the following operating systems:
- Windows XP SP2 and higher
- Windows Server 2003 SP1 and higher
- Windows Vista SP1 and higher
- Windows Server 2008 and higher
Sorry, anything Windows 2000 does not apply!
Technorati Tags: 
