Giving local admin permissions rather than domain admin rights

I was just hired on as a contractor at this company (it's a contract-to-hire). They have approx. 300 servers in the environment, virtual and physical. There are a mix of Windows Server 2003 and 2008 all in Standard, Enterprise, and R2 or each.

Currently they only have domain admin rights for the systems admins. They would like to be able to give me (and future contractors) local admin rights on about 200 of the servers, the other 100 are regulated and thus they do not give contractors access to those servers.

The question is this: How can they provide me local admin rights on the 200 selected servers without giving domain admin rights and without having to give local admin rights to each individual server one at a time?
ajhoy26Asked:
Who is Participating?
 
Mike KlineCommented:
yeah one by one would suck.  You can use restricted groups

Florian has a great blog entry on it here

http://www.frickelsoft.net/blog/?p=13

As you can see


‘’Memberof’’ adds a group, ‘’Members’’ replaces it.  (Florian explains it all)

Thanks

Mike
0
 
chapmanjwCommented:
On each of the servers, you can add a Domain Group to the local administrators group of the local machine.  You could then just add all the contractors to that domain group.
0
 
FDiskWizardCommented:
You need a nifty script... I've seem them in the past.. Ah, there was one post here a while back:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24565963.html
Change group name, and create the .txt file....


Const ForReading = 1
 
Set oFS = CreateObject("Scripting.FileSystemObject")
Set oNet = CreateObject("wscript.network")
 
sDomain = oNet.UserDomain
sDomainGroup = "DOMAIN GROUP HERE"
sLocalGroup = "Administrators"
 
Set oTextFile = oFS.OpenTextFile("C:\servers.txt", ForReading)
 
Do While oTextFile.AtEndOfStream <> True
      sComputer = oTextFile.ReadLine
      
      Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")
      Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")
      
      oLocalGroup.Add(oDomainGroup.AdsPath)
 
Loop
 

 
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Mike KlineCommented:
Why would you use a script instead of restricted groups?
Thanks
 
Mike
0
 
Rant32Commented:
Restricted groups override any manual configuration of the local Administrators groups, if present.

Using Restricted Groups is certainly the least effort to implement via Group Policy, but you should do a thorough check on existing Administrators groups on the servers to make sure nothing breaks if members have been added manually, for example service accounts.
0
 
TechnicallyMaybeCommented:
I agree the best route is definitely put these 200 servers in an OU and create a group policy using restricted groups to add a global group called contractors to the local administrators group.  The add the contractors user accounts to the global group.
0
 
Mike KlineCommented:
"Restricted groups override any manual configuration of the local Administrators groups, if present."

That is not true, restrictive groups can either override or add to what is there

‘’Memberof’’ adds a group, ‘’Members’’ replaces it.

Thanks

Mike
0
 
Rant32Commented:
That's not what's in the 2003 documentation, Mike.

When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added.

Also note that the member list for a restricted group that has no members is: <This group should contain no members>

I'm curious to where the option is to add a member to what's there.
0
 
Rant32Commented:
What you need is probably GP Preferences. But that's not the same as restricted groups.

http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html (replace Desktop with Server)
0
 
Mike KlineCommented:
@Rant32 You can do it using just restricted groups

Please look at Florian's blog   http://www.frickelsoft.net/blog/?p=13

Test it yourself using both methods....they both work and I've used both.

Yes GPP also does this but so does normal restricted groups.

"This group is a member of" -- adds to what is there

...again don't take my word for it...try it/test it

Thanks

Mike
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.