How to control memberships for local computer’s builtin groups

Oct 3rd, 2009

Domain Administrators sometime face a scenerio in which they have multiple workstations or member servers as part of a domain and will like to restrict/control which user should be members of any of the built-in local groups, such as Administrators, Backup Operators, Remote Desktop Users, Power Users etc. Rather than attempting to accomplish this manually, it will be much easier and faster to use an automatic approach. I will suggest two possible automatic options to get this done, either through a computer startup script or through Restricted Groups using Group Policy Objects. But I will highly recommend using the Restricted Group option, I will explain why later.

Before you start, create an OU and place in it, all the computer objects that you want this policy to apply.

Startup Script Option:

‘vbscript to run as startup script via GPO to enforce the local Administrator’s builtin group membership to only have “domainName/Administrator’ and ‘Domain Admins’ as members.
Option Explicit
Dim network, group, user
Set network = CreateObject(“WScript.Network”)
‘Specify Local group to enforce-in this case the computer/server local Administrators group
Set group = GetObject(“WinNT://” & network.ComputerName & “/Administrators, group”)
‘Loop through the Administrators group and verify that it have designated Administrator and Domain Admins
‘Delete/remove any other user that is there
For Each user In group.members
If UCase(user.name) <> “ADMINISTRATOR” And UCase(user.name) <> “DOMAIN ADMINS” Then group.remove user.adspath
End If
Next

**Copy the above script and save as .vbs file and add to your GPO computer startup Script and link it to the OU of affected computers/servers

Restricted Groups using GPO option:
***I am using Windows Server 2008 DC and a Windows 7 Workstation for the below examples. This will also work for WinXP, Windows Server 2003 as well***

1- Create an OU and move all required workstations to it. In this example I will use “WKStations” OU and added the WIN7-01 workstation. restrict1

2-Create a domain Global security group and add all the users/groups that you want to members of the Workstation/Server local Administrator Group. I created WksAdmins and added a user and a domain admins group to it.

restrict2

3-Create a new or use and existing GPO. I created the LocalGroupMembership GPO

restrict3

4- Edit the newly created GPO: Go to Computer Configuration, Policies, Windows Settings, Security Settings, Restricted Groups. Right click and add group. Enter “Administrators” Note: Administrators here refers to the Builtin\Administrators group on the local computers/servers that this gpo will apply to.

restrict4

5- In members of this group, add the Global Security group that was created earlier..”WksAdmins” in my demo. Point of warning here: Once you configure “Members of this Group” Restricted group will remove all other users/groups except the local Administrator Account from the Builtin Administrator group and then add your selec users/groups.If you intend to leave the local Administraors Group as it is but just wanted to add another users/groups to its membership, then you instead leave the “Members of this Group” blank and add the users/groups to the “this group is a memberof”

restrict5

6- Link the GPO to the OU, in my case the WKStations OU and test.

Windows 7 Workstation Before Change:

restrict8

Windows 7 Workstation after Change:

restrict9

Summary:

I will highly recommend using the Restricted Group option because:

-Does not require scripting and easy to configure

-Policy is in effect and enforce everytime GP refreshes usually about every 15-20 minutes

The Computer Startup script only enforce when machine is rebooted, thus if a user is mistakenly added to the Admin Group they will stay there until the machine is rebooted

It might slow logon time because script will have to run at boot time.

Be Sociable, Share!
Tags:
Comments are closed.