Which local user group are you puting the domain group in? 2

[cajuntank]

Have two quick questions about joining pc(s) to the domain.
When you join a pc to the domain (with everything being default), the domain user has very restricted access to the local pc. I have seen where people have just added those users one by one to the local administrators group and also read where someone chose the power users group instead. I need to come to a decision for over 1000 stations so I'll be doing this via GPO.

I'd like to know what is generally done so updates and software installs can take place. Domain users in local pc administrator's group or what?

Also, I know there's a reg key to stop the machine from showing up in the browse list so only servers and printers show up. Does anyone do this? I read where doing this cuts down on network traffic.

Comments/Insights are appreciated.

 

[WillShakespeare]

We have a Group which is both a Security Group and Distribution Group (emails) called "MyCompany Staff".

(For example Acme Staff)

This we add to the local Power Users Group. In means that on installs outside of GPO you will need to Run As.. and Administrator, but this isn't too much a pain to make sure your general users don't inadvertantly install something malicious while on the web.

I strongly recommend you DON'T add Domain Users to either group, especially Administrators. The reason is that Domain Users is the default group for all created accounts, and later down the line you might create a Temp account for a temp worker, and they will have Admin access to every machine before you definitely know you want this.

You could add it tio Power Users, but better is to create a separate Security Group and add all new users to this group. You can add users automatically using a script I wrote:

'==========================================================================
'
' NAME: AddUserToGroup
'
' AUTHOR: Russ Clements , Clements IT
' DATE  : 20/01/2004
'
' COMMENT: Adds a specified user to the specified
'          computer\domain Group.
'
'==========================================================================

Option Explicit

Dim sComputer, sGroup, sUser, sDomain
Dim WSHSHell, oGroup, oUser

Set WSHShell = CreateObject("WScript.Shell")

' Request the group name
sDomain = InputBox("Please enter a Domain Name:" + vbCrLf + _
	"(default is the MyDomain domain)", _ ' change to your default domain
	"AddUserToGroup Input Domain Name", _
	"mydomain", 100, 100) ' change to your default domain
If sDomain = "" Then
	sDomain = "mydomain" 'change to your default domain
End If

' Request the Domain or single-Computer name
sComputer = InputBox("Please enter a computer name:" + vbCrLf + _
	"(default is this computer)", _
	"AddUserToGroup Input Computer Name", _
	".", 100, 100)
If sComputer = "" Then
	sComputer = "."
End If

' Request the group name
sGroup = InputBox("Please enter a Group name:" + vbCrLf + _
	"(default is the Power Users group)", _
	"AddUserToGroup Input Group Name", _
	"Power Users", 100, 100)
If sGroup = "" Then
	sGroup = "Power Users"
End If

' Request the group name
sUser = InputBox("Please enter a Username:" + vbCrLf + _
	"(default is your username)", _
	"AddUserToGroup Input Username", _
	LCase(WSHShell.ExpandEnvironmentStrings("%username%")), 100, 100)
If sUser = "" Then
	sUser = LCase(WSHShell.ExpandEnvironmentStrings("%username%"))
End If

' Build the ADSI query and retrieve the group object
Set oGroup = GetObject("WinNT://" & sComputer & "/" & sGroup & ",group")

Set oUser = GetObject("WinNT://" & sDomain & "/" & sUser & ",user")

On Error Resume Next

'WScript.Echo "oGroup.Name: " & oGroup.Name
'WScript.Echo "oUser.Name: " & oUser.Name
'WScript.Echo "oUser.ADsPath: " & oUser.ADsPath

' Remove User from Group.
oGroup.Add(oUser.ADsPath)
oGroup.Setinfo

If Err.Number <> vbEmpty Then
	WScript.Echo "Error:   Add failed."
Else
	WScript.Echo "Success: User Added to group."
End If

Set oUser = Nothing
Set oGroup = Nothing

If you feel up to it, it woldn't be hard to change it to read a text file of all your users.

To remove users, the following script works:

'==========================================================================
'
' NAME: RemoveUserFromGroup
'
' AUTHOR: Will Clements , Clements IT
' DATE  : 20/01/2004
'
' COMMENT: Adds a specified user to the specified
'          computer\domain Group.
'
'==========================================================================

Option Explicit

Dim sComputer, sGroup, sUser, sDomain
Dim oGroup, oUser

' Request the group name
sDomain = InputBox("Please enter a Domain Name:" + vbCrLf + _
	"(default is the MyDomian domain)", _ ' change to your default domain
	"RemoveUser Input Domain Name", _
	"mydomain", 100, 100)  ' change to your default domain
If sDomain = "" Then
	sDomain = "mydomain" ' change to your default domain
End If

' Request the Domain or single-Computer name
sComputer = InputBox("Please enter a computer name:" + vbCrLf + _
	"(default is this computer)", _
	"RemoveUser Input Computer Name", _
	".", 100, 100)
If sComputer = "" Then
	sComputer = "."
End If

' Request the group name
sGroup = InputBox("Please enter a Group name:" + vbCrLf + _
	"(default is the Administrators group)", _
	"RemoveUser Input Group Name", _
	"Administrators", 100, 100)
If sGroup = "" Then
	sGroup = "Administrators"
End If

' Request the group name
sUser = InputBox("Please enter a Username:" + vbCrLf + _
	"(default is the Guest username)", _
	"RemoveUser Input Username", _
	"guest", 100, 100)
If sUser = "" Then
	sUser = "guest"
End If

' Build the ADSI query and retrieve the group object
Set oGroup = GetObject("WinNT://" & sComputer & "/" & sGroup & ",group")

If InStr(sUser, "S-1") = 1 Then
	Set oUser = GetObject("WinNT://" & sUser)
Else
	Set oUser = GetObject("WinNT://" & sDomain & "/" & sUser & ",user")
End If

On Error Resume Next

'WScript.Echo "oGroup.Name: " & oGroup.Name
'WScript.Echo "oUser.Name: " & oUser.Name
'WScript.Echo "oUser.ADsPath: " & oUser.ADsPath

' Remove User from Group.
oGroup.Remove(oUser.ADsPath)
oGroup.Setinfo

If Err.Number <> vbEmpty Then
	WScript.Echo "Error:   Remove failed."
Else
	WScript.Echo "Success: User removed from group."
End If

Set oUser = Nothing
Set oGroup = Nothing

And then finally, if yopu want to check users in a group on a domain or local machine, the following script is useful:

'==========================================================================
'
' NAME: ListGroupMembers
'
' AUTHOR: Russ Clements , Clements IT
' DATE  : 20/01/2004
'
' COMMENT: Enumerate members of a particular group. Set here For
'          Administrators group as default, but if comments removed
'          from inputbox, user can stipulate different groups at will.
'
'==========================================================================

Dim strCompOrDom, strGroup, strMembers
Dim objWMIService, objFSO, objFile

Set WSHShell = WScript.CreateObject("WScript.Shell")

' Request the Domain or single-Computer name
strCompOrDom = InputBox("Please enter a computer or Domain name", _
	"ListGroupMembers Input Computer or Domain Name", _
	".", 100, 100)
If strCompOrDom = "" Then
	strCompOrDom = "."
End If

' Request the group name
strGroup = InputBox("Please enter a Group name", _
	"ListGroupMembers Input Group Name", _
	"Administrators", 100, 100)
If strGroup = "" Then
	strGroup = "Users"
End If

' Create outputfile. Files will be created if not found, otherwise overwritten.
Set objFSO = CreateObject("Scripting.FileSystemObject") 
Set objFile = objFSO.OpenTextFile("C:\GroupMembers.txt", 2, True)

' Build the ADSI query and retrieve the group object
Set objWMIService = GetObject("WinNT://" & strCompOrDom & "/" & strGroup & ",group")

' Open the file and write computer name.
objFile.Write("Group Members for: " & strCompOrDom)
objFile.WriteBlankLines(1)
objFile.Write("Group: " & strGroup)
objFile.WriteBlankLines(1)

' Loop through the group membership and build a string containing the names
For Each objMember in objWMIService.Members
   strMembers = strMembers + objMember.ADsPath + vbCrLf
Next

' Output the list
'WScript.Echo strMembers
objFile.Write (strMembers)
objFile.WriteBlankLines(1)

objFile.Close

WSHShell.Run "notepad.exe C:\GroupMembers.txt", 1, false

Note that wherever I wrote: ' change to your default domain
you should change to your domain. For example, our domain is: mydomain (Pre-Windows name, note the lack of .com - the .com might work, but easier is just to use the above)
Our domain is also: mydomainventure.com

Well, you get the point, our company name is where "mydomain" is.

The text output of the last script above is useful for removing old accounts from groups, because you can check the groups and any ofthe form S-1-256, etc. can by copied from the text file and inserted into the RemoveUserFromGroup script above (2nd script).

As to that reg entry, I wasn't aware of that, and will look into it myself. It could be useful round here.

hth,

Will

 

[cajuntank]

Thanks for all of that info...I'll read over a few times. Where do you specify to "run as" when a software is being installed automatically either from GPO or login script?

Also here is the info I found on some other forum site for stopping the pc from showing up in the browse list.

"To prevent the computer from showing up in our browse lists, we made the registry key change: HKEY LOCAL MACHINE\System\Current Control Set\Services\LanmanServer\Parameters\Hidden, dword value = 1. We also changed HKEY LOCAL MACHINE\Current Control Set\Browsers\Parameters\MaintainServerList = No. Power Users can’t undo these settings. This cuts down on network traffic (8K adds up when multiplied by thousands), keeps the browse lists manageable, and helps cut down on file-sharing. Essentially, only servers and printers should show up in Network Neighborhood, making it easier for users and administrators to access those resources."

 

[WillShakespeare]

The Run As is hidden for some reason. I'm sure its some sort of obscure security specification, but anyway, to acces sit you select the file you want to run (exe or whatever). Then, while holding down the shift-key, right-click on the executable. In the pop-up menu "Run As..." will appear and you can select that.

Note that this doesn't work for .msi files. If you want to install msi files as Domain Admins user, then go to Control Panel, hold the shift-key down and right-click on Add Remove Programs. You can then Run As... an admin account, the Add Remove applet. Click on the "Add New Programs" icon on the left and then browse to the msi file. This will install the msi under an admin account.

Also note that some icons, even when you hold shift down, don't display Run As... In most cases you can work around this by running the exe from Program File on the C-Drive instead of the icon. But Internet Explorer for example you can select Start -> All Programs, and the Run As... the IE icon in there. The one on your Start menu root won't Run As...

Hope that all helps.

Will

 

[WillShakespeare]

Sorry, I just re-read that other post... I obviously misinterpreted!

As far as I know the GPO and login scripts automatically Run As administrator, or elevated privileges, so you don't need to specify Run As.

 

[porkchopexpress]

We only add users to the users group here we found the power users gave users too much access, they could still install most applications and have write access to the program files directory. This also means that any spyware and junk can install with or without the users action being required, the amount of damn I.E toolbars and browser helper objects we discovered running on some users PC's was silly.
If you don't intend your users to have any access to the internet then you should be fine but mischievous users can still install things from removable media.

Remember that power users is a subset of the administrators group not a superset of the users group.