How to lockout desktop admins from logging on locally onto Server 2008 1

[UnknownEntity]

Hi all,

I am trying to find out the best way to lockout desktop admins who are part of the administrators group on a domain , from logging onto any windows 2008 or windows 2003 server? What is the best approach to do this? Thanks.

Drakul.

 

[FaiTHLeSS]

Only grant them local admin rights to the desktop OS's.
dont give them any sort of global admin rights like domain administrators.

If they need todo work in AD such as add/remove/amend users and computers then you could give them account operators rights or delegate.

Also if they need to add computers to the domain then amend group policy to allow them to be able to add machines to the domain.

 

[UnknownEntity]

Lets call this group LocalDesktopAdmins or LDA for short. Would I create an OU in AD then create the group account in that OU and use GPO to add LDA to local administrators group for all workstations in domain? They would need to add systems to domain and use the account on network printers. Also would the desktop admins in this group be part of 'Users' group? If this involves 'Restricted Groups' I will need to read further as I have never used that.

Is it good practice to create a separate user accounts that go into the LDA group or just one account called LDAs?

 

[FaiTHLeSS]

I use a VBS script to add a user group to local admins group on the computers, this is deployed as a logon script against a machine group policy which is applied to an OU containing the computers on my network.

You dont need to create any new OU's, just create a new group called LDA, then add all your support users that require local admin rights to this group.

In regards to adding systems to the domain then amend group policy to allow the LDA group to be able to add new systems to the domain. With printers you could add them to Printer Operators group. If they require to amend users in AD then account operators would work for that. If you want them to have only control over certain OU's then you will need to delegate.

VBS code i use is below

Set objWshNet = CreateObject("WScript.Network")

' // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
' // Configure basic script variables

strDomain = objWshNet.UserDomain
strComputer = objWshNet.ComputerName
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")


' // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
' // Configure to add a domain user to the Local Administrators Group

'strUser = "Username"
'Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",user")


' // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
' // Configure to add a domain group to the Local Administrators Group

strUser = "Groupname"
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",group")


' // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
' // We actually add the user or group here, if not already a member of the local
' // Administrators group:

If Not objGroup.IsMember(objUser.ADsPath) Then
objGroup.Add(objUser.ADsPath)
End If

 

[UnknownEntity]

I have spent so long looking on the web trying to determine the best solution, hopefully this will work.

Thanks Faithless for the VBS code and valuable input, I will need to simulate this before live production, if its okay I will email you with how this goes. Thanks again!

Drakul.

 

[UnknownEntity]

Hi Faithless, the script worked like a charm. Thanks. I'm starting a new thread on server scripting, your help will be greatly appreciated if you read this. I couldnt find a way to email you. Thanks again.

Drakul.

 

[FaiTHLeSS]

No problem, we have just stopped using this script and have moved most of our stuff over to Group Policy Preferences instead of scripting now.