As an sys admin I need access to all computers.

Posted on 2005-04-24
Last Modified: 2013-12-04
I maintain a small Active Directory OU of some 500 to 600 machines. Most of these machines stay in place for about a year. The problem starts when new machines come in and are added to my OU. They come from many different locations and thus have been built by a variety of different peopel with a wide variety of different ideas on who should and should not have access to the local box. (Sorry for the long sentence..but... I must have the ability to monitor and modify these machines in order to insure that we have the highest level of security; updates; patches; and no and I do mean NO! unauthorized software and other stuff. (Tuff job, but someone...)
I am not a PC tech. I need a resource that can help me understand what some of these other guys have done to block me from getting to ..say, local users and groups; or deny "Remote Desktop Connection" or deny " Symantec to unto update".  You get the picture. Can anyone help be get started on this. I would like an answer that involves the use of   AD GPO's, then when they go away, they can have their machine back.
I have been althrough the local Group Policies and can not find anything that looks suspect.
Thanks, Rick
Question by:farmer9000
    LVL 38

    Accepted Solution

    Is your account, or do you have an account in the Domain Administrators Group? If you do, by default your in the local admin group of the computer's in your AD.

    Also, since your a system admin, then why are you being locked out of machines or hindered? Surely you can talk to your manager, or other managers and see what justification there is for this behaviour/action of keeping you out.

    There are 3million and 2 ways they can keep you out, but the main ones are:
    1) Firewalls
    2) Permissions: NTFS as well as User Group restrictions/exclusions (your account not in the local admin, or the group you belong to is not listed in the admins group)
    3) Turning off services, even route poisoning can be used to create an asymentric route

    You need standards, bad from the sound of it... here are some great policy examples and standards that I recommend you try to implement:

    The other problem of standardization your faced with is the different hardware and software being introduced to your LAN. In the companies I've worked for and consulted for, the first thing to standardize is the hardware. Once that is done, the rest is pretty easy. Using Norton Ghost, you can create a standard image, and you can then apply that image to the pc's on your lan, making them all identical in software. With xp you can have an image that will work on machines with SIMILAR hardware, but they can't be from a different manufacturer or have a different chipset on the motherboard. XP again will work with different models from the same manufacturer for the most part, but win2k's plug-n-play support isn't as good as XP's.
    Even if you have 4-5 different PC types, servers,laptops, pc's you only need one image for each type, and they will still be standardized when you create them.

    Once you have these tackled, you need to lock down the PC's to maintain the standards, users should not be in the local admin groups of their pc's- that way they cannot install software or make changes that deviate from the standards. You can also use GP's to enforce these lockdown's.

    Author Comment

    Thanks, in a perfect world or even a near perfect world I totally agree. But, the Army is not a perfect world. I have a GPO that adds the Domain Admin account to the  local administrator on all the machines that are on the network but I am still restricted on some of them. I am sure it is local policies that at preventing me access.  I can not do any of the other items because of different MFG's and age of machines, wide variety of 3rd party software; re-image is out, too too many different drivers needed and 3rd party support required. The only saving grace is that all machines have to be Windows XP Pro. (OK, maybe a couple of Win2K)
    I was hoping someone would come up with a scrit that would reset all the local policies to a default setting with minimum security. I have enough network security to not be concerned about local settings.
    LVL 38

    Expert Comment

    by:Rich Rumble
    GP's take precedance over local poicies:
    First, the local GPO applies. Although this GPO resides directly on the computer that it will configure, it has the least priority when compared with the other AD GPOs.

    You may need to make a GPO that re-adds the domain admin's to the local admin group of the machines I suppose.


    Featured Post

    Scale it in WD Gold

    With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

    Join & Write a Comment

    Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
    Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now