As an sys admin I need access to all computers.

Posted on 2005-04-24
Medium Priority
Last Modified: 2013-12-04
I maintain a small Active Directory OU of some 500 to 600 machines. Most of these machines stay in place for about a year. The problem starts when new machines come in and are added to my OU. They come from many different locations and thus have been built by a variety of different peopel with a wide variety of different ideas on who should and should not have access to the local box. (Sorry for the long sentence..but... I must have the ability to monitor and modify these machines in order to insure that we have the highest level of security; updates; patches; and no and I do mean NO! unauthorized software and other stuff. (Tuff job, but someone...)
I am not a PC tech. I need a resource that can help me understand what some of these other guys have done to block me from getting to ..say, local users and groups; or deny "Remote Desktop Connection" or deny " Symantec to unto update".  You get the picture. Can anyone help be get started on this. I would like an answer that involves the use of   AD GPO's, then when they go away, they can have their machine back.
I have been althrough the local Group Policies and can not find anything that looks suspect.
Thanks, Rick
Question by:farmer9000
  • 2
LVL 38

Accepted Solution

Rich Rumble earned 2000 total points
ID: 13854127
Is your account, or do you have an account in the Domain Administrators Group? If you do, by default your in the local admin group of the computer's in your AD.

Also, since your a system admin, then why are you being locked out of machines or hindered? Surely you can talk to your manager, or other managers and see what justification there is for this behaviour/action of keeping you out.

There are 3million and 2 ways they can keep you out, but the main ones are:
1) Firewalls
2) Permissions: NTFS as well as User Group restrictions/exclusions (your account not in the local admin, or the group you belong to is not listed in the admins group)
3) Turning off services, even route poisoning can be used to create an asymentric route

You need standards, bad from the sound of it... here are some great policy examples and standards that I recommend you try to implement: http://www.sans.org/resources/policies/

The other problem of standardization your faced with is the different hardware and software being introduced to your LAN. In the companies I've worked for and consulted for, the first thing to standardize is the hardware. Once that is done, the rest is pretty easy. Using Norton Ghost, you can create a standard image, and you can then apply that image to the pc's on your lan, making them all identical in software. With xp you can have an image that will work on machines with SIMILAR hardware, but they can't be from a different manufacturer or have a different chipset on the motherboard. XP again will work with different models from the same manufacturer for the most part, but win2k's plug-n-play support isn't as good as XP's.
Even if you have 4-5 different PC types, servers,laptops, pc's you only need one image for each type, and they will still be standardized when you create them.

Once you have these tackled, you need to lock down the PC's to maintain the standards, users should not be in the local admin groups of their pc's- that way they cannot install software or make changes that deviate from the standards. You can also use GP's to enforce these lockdown's.

Author Comment

ID: 13854434
Thanks, in a perfect world or even a near perfect world I totally agree. But, the Army is not a perfect world. I have a GPO that adds the Domain Admin account to the  local administrator on all the machines that are on the network but I am still restricted on some of them. I am sure it is local policies that at preventing me access.  I can not do any of the other items because of different MFG's and age of machines, wide variety of 3rd party software; re-image is out, too too many different drivers needed and 3rd party support required. The only saving grace is that all machines have to be Windows XP Pro. (OK, maybe a couple of Win2K)
I was hoping someone would come up with a scrit that would reset all the local policies to a default setting with minimum security. I have enough network security to not be concerned about local settings.
LVL 38

Expert Comment

by:Rich Rumble
ID: 13855430
GP's take precedance over local poicies: http://www.securitydocs.com/library/3198/2
First, the local GPO applies. Although this GPO resides directly on the computer that it will configure, it has the least priority when compared with the other AD GPOs.

You may need to make a GPO that re-adds the domain admin's to the local admin group of the machines I suppose.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question