GPO to add local admin rights

Before you start, I have read all the frightening information about granting domain users administrative rights to their local PC's.  I am aware of the dangers, but I am also aware of their needs.  What I am not aware of is how to accomplish the task at hand.

I have two different networks with Windows 2008 servers.  I am able to use the GPOs to perform all the drive mappings based on group membership.

What I am trying to figure out how to do (successfully) is to permit "Domain Users" to have administrative rights to the local machines.  I have followed a couple of suggestions and they simply do not work.  I then read about the dangers of modifying the Default Domain Ploicy (which is what I have been doing for the drive mappings) and became concerned.

So my question is this:

I need to know the proper "safe" way to create GPOs that will allow me to map drives and grant domain users local administrative access without adversely effecting my domain security.

Thanks
LVL 1
tcampbell_ncAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DonNetwork AdministratorCommented:
0
tigermattCommented:

You're right. Generally, you would want to avoid adding new settings to the Default Domain or Default Domain Controller Policies. The best practice would be to create new, custom Group Policy Objects in the Group Policy Management Console which you can add your own settings to (just right click where you want the policy linked, such as at the root of the domain and select the "Create and Link" option).

>> grant domain users local administrative access without adversely effecting my domain security

If you give users local Administrator access, there is immediately an unavoidable negative impact on security. Administrator is a powerful permission to give, even on a local system, since that user can essentially do *anything* they like to that machine. That would include malware installing itself which could then find permission to replicate over the network.

Best practices stipulate that you avoid giving these rights to users. If they are asking for them, is it for a legitimate reason? Have management sign off the change on the basis that they know the security ramifications, and ensure something is written into your IT AUP about it.

-Matt
0
Brian PiercePhotographerCommented:
If you really must (and to be frank I doubt that very much), the simplest way to make users local admins is to use a restricted group and force domain users into the local administrators group - but on your own head be it.

Create a group policy that configures the security group as a Restricted Group, and under the "This group is a member of...", option add "Administrators"

Link the GPO to the OU (or domain) that contains the computers

Run gpupate/force to update the policy

See http://support.microsoft.com/kb/810076
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

tcampbell_ncAuthor Commented:
The Create and Link option is what I have looked at.  The problem is that it does not give me the option to link to another OU such as "Computers".  It links to the domain.  I have read a post where that then gave the users Administrative right to the servers as well, since the server is a local machine to itself (I don't fully understand that statement, but they were talking about using restricted groups and linking the GPO to "Computers", which I have yet to figure out how to do).

As far as local administrative rights, I find it required in some environments.  I am not on-site at every site every day.  If a manager needs to install an upgrade to the accounting software, or an update to the anti-virus software that requires a registry change on the local station, I simply can not be at all places at once.  In today's normal office space, there are some things that users can do for themselves without having to involve IT.  If it then breaks their system, then they pay the price in downtime for doing something they should not have done.  I think if they had to call IT every time they needed to update or install something legitimate, they would be looking for a new IT guy.

With regards to viruses and malware, that is why we pay the big bucks for anti-virus/anti-malware software.  I know that there is no one program that catches everything, but we can not safely access the Internet, nor e-mail, without some good form of protection on the workstations, and the servers.  If that protection also includes monitoring network traffic (like the good programs do) then something that sneaks into a workstation and tries to infect other network resources, would be generating suspicious network traffic.  This would be blocked and raise the alarm.

I am protective of the network resources, but I think it can be taken a bit too far.
0
Brian PiercePhotographerCommented:
Computers is not an OU - its a container - you can't attach a GPO to "Computers". Either move all of the computers that you want this to apply to to an OU of their own or apply the GPO to the domain
0
tigermattCommented:

Linking a policy at the domain level *will* make settings on servers as well as workstations. If you move all your workstations into a new OU (created via Active Directory Users and Computers), you can then link the policy at the workstation level instead.

Your comments regarding the necessity of local administrative rights are not necessarily inaccurate, particularly for smaller firms. However, if the only reason is for installing the odd update, I would suggest you create a new account used only for this purpose and assign the administrative rights to that.

-Matt
0
tcampbell_ncAuthor Commented:
I was worried about all the flack I would see regarding the local administrative rights.  So let me reply that, on  both of the networks involved with this question, all domain users have had local administrative rights to their own computers for some time now.  This has not caused any issues regarding viruses, nor malware.  There have been a few stations attacked by a user installing a "free" screensaver or some such garbage, but the infection has stayed on the local computer and not traversed the network.  Now I'll get off my soap box.

One of the other reasons for this need is so User A can login on User B's computer when User A's computer is down.  This causes an ugly situation where Computer B has to create a new local user profile, including registry entries for e-mail accounts (GroupWise / Exchange), accounting software, Document Management software (Worldox) and proprietary resource management software (for a Church).  Without local administrative rights, these applications can not self-install/self-configure for User A on Computer B.

The other option is that employee sits there doing nothing until I can get there to login in as an administrator and set the user up with a local profile on Computer B, with just enough rights to configure the software for their use.

I am definately old-school with security, but there is a limit where too much security produces non-productivity.  Thus, actually trusting the employees becomes a necessary evil.  The other side of that is that educating the users can, and does, prevent most situations where threats are invited into the network.  And for users that can not seem to learn that their office computer is not on their desk to entertain them, there is always the option to show them the front door.

Sorry, I feel like I am ranting again.

So to understand my best method of accomplishing this task.....

I should go into the AD Users and Computers, and, at a peer level to the Computers folder, create a new folder for the computers (called ADComputers).  I should move all the computers from the "Computers" folder into "ADComputers".  

Next, in GPMC I should create a new GPO and move everything I have included in the Default Group Policy to this new GPO (called MyGPO).  Should this policy be linked to the domain?  It does not sould like that is what I want.  

I am not in front of a 2008 server right now, but I seem to remember that my only option in creating a new GPO is to "Create a new GPO and Link Here" at the domain level.  So how is it that I can create a new GPO and link it to the OU I created in AD?

Thanks
0
Brian PiercePhotographerCommented:
To create a GPO at the OU then simply right click on the OU and select "Create a new GPO and Link Here" - but note, it must be an OU, not a container
0
tcampbell_ncAuthor Commented:
OK.

Does that then bring up GPMC?  Will the resultant GPO show up in GPMC?

0
Brian PiercePhotographerCommented:
You do this FROM GPMC, open the GPMC and right click on the OU there.
0
tcampbell_ncAuthor Commented:
Please excuse me for my ignorance... Again I come from a mostly Novell world, and have let Netware control security in the past.  

If I create an OU in AD Users and computers, it will show up in GPMC?
0
tigermattCommented:

Yes, that's correct. GPMC displays the same OU structure as you see in Active Directory Users and Computers.

A new OU created in AD U&C will appear (after a refresh or by closing and re-opening the tool) in GPMC.

-Matt
0
Brian PiercePhotographerCommented:
Yes GPMC is shows the OU structure as well as other containers such as one for the GPOs themselves. The GPOs are then linked to one or more OUs.
0
tcampbell_ncAuthor Commented:
OK folks.... One step forward and one step back.

I created a new AD Group called LocalAdmins and added a few of the power users to that group.

I created a new OU (DomComputers).  I moved the computers from the Computers container to the new OU.  I then created a new GPO linked to DomComputers.

Within the GPO, I configured Computer Configuration - Preferences - Control Panel Settings - Local Users and Groups - Local Group - Update - Administrators (built-in) - and Added the <domain>\LocalAdmins in the members.

Next I removed the drive mappings from the Default Policy and placed them in this GPO:
User Configuration - Preferences - Windows Settings - Drive Maps

I configured each one as a replace with Item level targeting based on the group membership.

I forced an update of group policies.

I next booted a workstation and logged in as a user that had never logged in on that station.  I have local Administrative rights (Step Forward).......

.... but my drive mappings no longer work (Step Back).  

If, however, I log in as a user that has logged into this workstation in the past, and has received the mapped drives from the default policy, the mapped drives are still there.

Any ideas?  
0
tigermattCommented:

The vital distinction not covered above was that policies under "Computer Configuration" apply only to Computer objects, whereas policies under the "User Configuration" container apply only to User objects.

In your tree structure, you set the Drive Map User Configuration setting in a policy which is linked to an OU containing ONLY computer objects. As such, the user settings will not apply.

There are two ways around this.

The first is to create another policy and link it to the OU containing your user accounts. Set the drive map and any other user-specific settings in that policy.

Link the policy you have already created to your OU containing user objects. This way, you only need maintain one policy.

Use a special setting known as "loopback processing" mode. For policies linked to Computer objects, this tells the policy engine to also apply any User Configuration settings from those policies. See more here: http://technet.microsoft.com/en-us/library/cc757470(WS.10).aspx.

My personal preference would be to keep things simple by using the first option. As you complicate your deployment with settings such as loopback mode, you also significantly add to troubleshooting if something breaks.

-Matt
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tcampbell_ncAuthor Commented:
Thanks Folks.

I created two OUs (DomainCom, DomainUser) and moved the computers and users to their respective OUs.  From GPMC, I created and linked a GPO to the DomainCom OU to modify computer settings (adding LocalAdmin group to the built in Administrators group on the workstations).  I then created and linked a GPO to the DomainUsers OU that performs the drive mappings.  My Default Group Policy is back to it's default settings.  

Thanks for your assistance in getting an old Novell engineer up to speed on the application of GPOs.  Someone should offer a class on this stuff (ha-ha).  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.