How to apply a GPO to the Domain Admins group?

Apply that policy would override their admin status. Your best bet is not to put anybody but a select few people in the domain admins group and even then, those few domain admins should be running as a limited user for the majority of the time.

Here are some options you can do listed in what I believe to be the best order:

1. Use a tool like SystemMonitor (FileMon or Regmon by SysInternals) to log everything the SAP finance applications are touching. These set up tools will show you where you get an access deny or need more permissions. This may take a while to use but it is certainly worth it.

2. Use the deny shutdown GPO and scope the permissions down to only apply to Domain Admins and only on the select machines you are worried about.

3. Simply deny a group (I am assuming the domain admins group) the execute permission to shutdown.exe on all of the machines in question.

No it will not.  There is policy setting called Group Policy loopback processing.  

1. You can create an additional GPO that restricts the users from shutting down the server.  
   
2. Then you also would set the loopback policy processing to merge with the exisitng polic
3. Lastly make sure that you apply the proper security as to who this policy should apply to.
   

In the GPMC we have it set up at the moment with the "Default Domain Policy" and a "Terminal Services User Policy" . The Terminal Services policy has the "remove access to the shutdown command" enabled for normal users so they cannot shutdown the Terminal Server, however since these troublesome SAP users are now in the Domain Admins group this does not apply to them anymore and they CAN shutdown the Terminal Server.

Should I add the Domain Admins in to the Terminal Services User Policy? If so, what is the best way to do this?

Why exactly do they need domain admin rights? What resources are they required to use?

Configuring these users as Domain Admins grants them total access to your Active Directory database, including full administrative rights on all domain controllers, member servers and workstations.

They don't need Domain Admin rights. Full stop. Use tools like Process Monitor (free download from MS) to determine what rights they actually -do- need, and delegate only those rights and no others - in all likelihood they only need Full Control to certain folders and Registry keys that are relevant to the application they are trying to run.

Out of curiousity, you're not running Terminal Services on your domain controller, are you?  If so, find other hardware to run TS on; TS should not be run on a DC under any circumstances.

I don't think you should apply the users GPO to them.  I know that sometimes some apps just need the users to have administrator's privileges to run(such as Intuit Quickbooks)

I think that you should give them local admin rights on the Terminal server and setup a merge GPO loopback processing.  Doing this will not give them domain admin rights, just local server rights.

No we have a DC and a separate Terminal Server.

Basically the SAP database was migrated to a new Apps Server by their inhouse SAP administrator, as we do not support their SAP application. After this migration there were a certain few users who could not run SAP. We think it could be an error with new the SAP install and/or SAP user permissions, but as we don't support it we can't be definite on that and the SAP administrator is very reluctant to admit, or investigate, that anything could be wrong with his install.

The SAP administrator was under pressure to get these users back online with SAP after three days downtime, so under this pressure he placed them in the Domain Admins group and this gave them rights to run SAP. This worked, however it also gave them access to the "shutdown" option on the start menu.

He now wants us to keep them in the Domain Admins group (and thus running on SAP) but remove their ability to shutdown the Terminal Server. What is the best way to do this?

Have you taken a look at my GPO suggestion for Group Policy loopback processing?  I use this on my terminal servers for a group that needs to have local admin rights.

> "He now wants us to keep them in the Domain Admins group"

I wouldn't allow this if you paid me.  Domain Admins needs to be restricted to IT administrators only.  Make the users in question local administrators on the SAP server in question, take them out of Domain Admins.

If this is what he/she wants, we can only advise him/her not to do it.  The onus is then on him/her to make this decision.

Putting them on Domain Admins group is a mistake for sure. The most you would grant admin access to the server hosting the SAP application which is more than enough. Not the "Domain Admnins". Do so, you could be putting Domain Admins's job at risk. It is the SAP Admin's responsibility to figure out what right is needed. It is also the Domain Admins' responsibility to prevent any other Admins being added to the Domain Admins except Domain Admins. So, again, in my experience, we have many Admins(SAP, Notes, Web, Cognos, SQL, Oracle, etc) and none of them were ever given Domain Admins rights!

Even you create a GPO to prevent them from shutting down the server, what's the point, the are domain admins and can revert your GPO. Security wise It's meaningless!

So, I strongly suggest you to push back the Domain Admins right...if i ever find out any of my Domain Admin ever granted Domain Admins right to non Domain Admins, I'll take out his Domain Admins privilege forever!

This is what I have suggested about six posts ago.  As mentioned, we can only advise the author of this port.  If he/she refuses to heed our warnings they will have to suffer the consequences if and when it does happen.

> "nappy_d:Have you taken a look at my GPO suggestion for Group Policy loopback processing?  I use this on my terminal servers for a group that needs to have local admin rights."

I have been looking at your suggestion but I am not familiar with loopback processing, I have been looking at many forums but I am struggling to make sense of it.

We have three servers:
1) DC
2) SAP Server
3) Terminal Server

Based on your suggestions would I need to make the Users local admins on the SAP server, or the Terminal Server in order to apply this loopback GPO?

Group policy processing gives you two options when enabled 1-take to group policies and merge them and apply them both to a computer or user(groups) or 2-make one policy overide another.

So what I suggest you do is to create a second group policy for the users that need local admin privileges (like my screenshot)

1. Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups
2. Right click, select Add Group.
3. Now you will enter name of group - in our case you will select Administrators (note this is not just description, it is real name of that group).
4. In Members of this group select add, select who you want to include (Domain\Domain Group)

Picture-54.png

Hey DSS01,

Loopback policy processing, when used rarely, has some awesome benefits. Basically it works like this:

1. You create a GPO that applies users.
2. You link the GPO to an OU that has computers in it but not the users you wish to apply it to.
3. When the computer starts up, it will apply any computer GPOs and then User GPOs and then loopback to process the user specfic parts of the computer GPO again.

Does that make sense?

Here is the M$ explanation.  Hope it helps http://support.microsoft.com/kb/231287