Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Restricting adding of local Users/Groups to Domain Admins

Posted on 2006-07-22
6
Medium Priority
?
420 Views
Last Modified: 2010-04-18
Due to some uniqueness of my environment, I need to give domain users local Administrative access to some machines.  However one of the no-nos is for these local Adminstrators is to create local accounts, but often then do anyway.  How can I restict the creating of local accounts to Domain Admins only?

Environment: W2K3 Standard Servers, Windows XP-Pro clients
0
Comment
Question by:jchauncey60
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 1

Expert Comment

by:rimba_
ID: 17161403
hello,
what you can do is block the ejecution of mshta.exe (you can do this is the domain policies)

and for prevent the admins to run it from the run or the command using "control userpasswords2", block the run and the command in all the machines (this can be done in the domain policies as well)
0
 

Author Comment

by:jchauncey60
ID: 17161524
Thank you for your suggestion, however it did not seem to work.  I created a "test" account and added them to the local Administration group and was still able to add a new user and place that user into the local Administrator's group.

Just in case I misunderstood something, I am adding users from My Computer->Manage->Local Users and Groups.

Again, thanks for feedback.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17161743
the minute you add a user to the admin local group...they have these permissions

you can counter that with group policy to a point
Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Computer Management
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 51

Expert Comment

by:Netman66
ID: 17161845
Very simply, create Restricted Groups for each local Group on the PC.  Enforce the membership of this group (use the Members section).

Now when a new local user is created, the account wants to belong to the Users local group - however, if you enforce this to contain only Domain Users then account creation should fail since the user cannot belong to any local groups (as defined in your GPO).

So you need to create Restricted Groups for:

Administrators - contain Domain Admins, the local Administrator and a new Security Group from the domain that contains the users that need Admin rights.  
Power Users - no members.
ec, etc.

Make sure to include the default members in these Groups since this policy will remove anything not explictly defined in your policy.

0
 
LVL 51

Accepted Solution

by:
Netman66 earned 750 total points
ID: 17161847
Oh, make sure you apply this to an OU where only the workstations live - you do not want this to apply to your servers.

0
 
LVL 1

Expert Comment

by:rimba_
ID: 17162792
try this:
go to windows/system32 there look for mshta.exe right click and select properties, there deny eveything to everybody and try to add a user again, if this works look the policy in the domain controller, maybe you re not restricting the access to this .exe correctly (you need to put the full path to it)
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question