Isaac Oben's Blog

 Domain Administrators sometime face a scenerio in which they have multiple workstations or member servers as part of a domain and will like to restrict/control which user should be members of any of the built-in local groups, such as Administrators, Backup Operators, Remote Desktop Users, Power Users etc. Rather than attempting to accomplish this manually, it will be much easier and faster to use an automatic approach. I will suggest two possible automatic options to get this done, either through a computer startup script or through Restricted Groups using Group Policy Objects. But I will highly recommend using the Restricted Group option, I will explain why later.

Before you start, create an OU and place in it, all the computer objects that you want this policy to apply.
Startup Script Option:

‘vbscript to run as startup script via GPO to enforce the local Administrator’s builtin group membership to only have “domainName/Administrator’ and ‘Domain Admins’ as members.
Option Explicit
Dim network, group, user
Set network = CreateObject(”WScript.Network”)
‘Specify Local group to enforce-in this case the computer/server local Administrators group
Set group = GetObject(”WinNT://” & network.ComputerName & “/Administrators, group”)
‘Loop through the Administrators group and verify that it have designated Administrator and Domain Admins
‘Delete/remove any other user that is there
For Each user In group.members
If UCase(user.name) <> “ADMINISTRATOR” And UCase(user.name) <> “DOMAIN ADMINS” Then group.remove user.adspath
End If
Next

**Copy the above script and save as .vbs file and add to your GPO computer startup Script and link it to the OU of affected computers/servers

Restricted Groups using GPO option:
***I am using Windows Server 2008 DC and a Windows 7 Workstation for the below examples. This will also work for WinXP, Windows Server 2003 as well***

1- Create an OU and move all required workstations to it. In this example I will use “WKStations” OU and added the WIN7-01 workstation. 

2-Create a domain Global security group and add all the users/groups that you want to members of the Workstation/Server local Administrator Group. I created WksAdmins and added a user and a domain admins group to it.

 

 3-Create a new or use and existing GPO. I created the LocalGroupMembership GPO

 

4- Edit the newly created GPO: Go to Computer Configuration, Policies, Windows Settings, Security Settings, Restricted Groups. Right click and add group. Enter “Administrators” Note: Administrators here refers to the Builtin\Administrators group on the local computers/servers that this gpo will apply to.

 

5- In members of this group, add the Global Security group that was created earlier..”WksAdmins” in my demo. Point of warning here: Once you configure “Members of this Group” Restricted group will remove all other users/groups except the local Administrator Account from the Builtin Administrator group and then add your selec users/groups.If you intend to leave the local Administraors Group as it is but just wanted to add another users/groups to its membership, then you instead leave the “Members of this Group” blank and add the users/groups to the “this group is a memberof”

6- Link the GPO to the OU, in my case the WKStations OU and test.

Windows 7 Workstation Before Change:

Windows 7 Workstation after Change:

Summary:

I will highly recommend using the Restricted Group option because:

-Does not require scripting and easy to configure

-Policy is in effect and enforce everytime GP refreshes usually about every 15-20 minutes

The Computer Startup script only enforce when machine is rebooted, thus if a user is mistakenly added to the Admin Group they will stay there until the machine is rebooted

It might slow logon time because script will have to run at boot time.

Isaac Oben Active Directory

Just thought I should list the step by step process for performing authoritative restore in active directory for windows server 2003. But first, just a brief summary of the difference between an authoritative and a non authoritative restore.

 A non Authoritative restore is hardware failures or other software issues that results in the complete restoration of the directory services from backup.

An Authoritative restore is used when a change or deletion of an object is made in Active Directory and the action/change have to be reverse. An example can be a user mistakenly deletes an OU or a user object, then decided to reverse the action by restoring the OU or user object that has been deleted.

Steps on performing an authoritattive restore. In this scenerio, I deleted an OU and a user and then restore both through authoritative restore process. Read more…

Isaac Oben Active Directory Authoritative restore, ntbackup, ntdsutil, perform authoritative restore, system state backup

In previous post I outline some guidelines on how to remove demoted domain controller from domain using ntdsutil.exe. In this post, I will give guides on removing a naming context, be it a child domain or a DNS zone from Active Directory usning ntdsutil.exe.

First. make sure that no domain controller or replica objects exists in your forest for the domain in question. If they do, use previous steps [link here] to remove the objects before proceeding to delete the domain from the forest. Read more…

Isaac Oben Active Directory Delete child domain, delete domain, delete naming context, ntdsutil, remove DomainDNSZone

If you ever have been in a situation where your domain controller crashes or failed and there is no way you intend to bring it back to production then you must remove the failed domain controller objects from Active Directory. In a regular procedure, to remove Domain controller from domain, you will run dcpromo to demote, but in this case, the domain controller is no more, so you have to use the ntdsutil tool to remove the objects from active directory. Also, you will need ntdsutil to remove domain controller from domain in a situation where you have tried to use dcpromo to demote but it failed, then you decided to use dcpromo /forceremoval. The force removal process does not totally clean the DC objects, so you will need to use ntdsutil to complete the process. Read more…

Isaac Oben Active Directory Active Directory, delete domain controller, faild domain controller, ntdsutil

Access-based enumeration (ABE) allow users to view/list only files and folders that they hace access to. This feature hides other files and folders from prying eyes. It was introduced with windows server 2003. It is not enabled by default. I have put together some detail instructions on how to configure ABE. Read more…

Isaac Oben Distributed File System