Solved

Giving local admin permissions rather than domain admin rights

Posted on 2010-09-03
10
839 Views
Last Modified: 2012-06-27
I was just hired on as a contractor at this company (it's a contract-to-hire). They have approx. 300 servers in the environment, virtual and physical. There are a mix of Windows Server 2003 and 2008 all in Standard, Enterprise, and R2 or each.

Currently they only have domain admin rights for the systems admins. They would like to be able to give me (and future contractors) local admin rights on about 200 of the servers, the other 100 are regulated and thus they do not give contractors access to those servers.

The question is this: How can they provide me local admin rights on the 200 selected servers without giving domain admin rights and without having to give local admin rights to each individual server one at a time?
0
Comment
Question by:ajhoy26
10 Comments
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33598355
On each of the servers, you can add a Domain Group to the local administrators group of the local machine.  You could then just add all the contractors to that domain group.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 33598398
yeah one by one would suck.  You can use restricted groups

Florian has a great blog entry on it here

http://www.frickelsoft.net/blog/?p=13

As you can see


‘’Memberof’’ adds a group, ‘’Members’’ replaces it.  (Florian explains it all)

Thanks

Mike
0
 
LVL 12

Expert Comment

by:FDiskWizard
ID: 33598657
You need a nifty script... I've seem them in the past.. Ah, there was one post here a while back:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24565963.html
Change group name, and create the .txt file....


Const ForReading = 1
 
Set oFS = CreateObject("Scripting.FileSystemObject")
Set oNet = CreateObject("wscript.network")
 
sDomain = oNet.UserDomain
sDomainGroup = "DOMAIN GROUP HERE"
sLocalGroup = "Administrators"
 
Set oTextFile = oFS.OpenTextFile("C:\servers.txt", ForReading)
 
Do While oTextFile.AtEndOfStream <> True
      sComputer = oTextFile.ReadLine
      
      Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")
      Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")
      
      oLocalGroup.Add(oDomainGroup.AdsPath)
 
Loop
 

 
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33598872
Why would you use a script instead of restricted groups?
Thanks
 
Mike
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33599344
Restricted groups override any manual configuration of the local Administrators groups, if present.

Using Restricted Groups is certainly the least effort to implement via Group Policy, but you should do a thorough check on existing Administrators groups on the servers to make sure nothing breaks if members have been added manually, for example service accounts.
0
 
LVL 5

Expert Comment

by:TechnicallyMaybe
ID: 33599516
I agree the best route is definitely put these 200 servers in an OU and create a group policy using restricted groups to add a global group called contractors to the local administrators group.  The add the contractors user accounts to the global group.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33599962
"Restricted groups override any manual configuration of the local Administrators groups, if present."

That is not true, restrictive groups can either override or add to what is there

‘’Memberof’’ adds a group, ‘’Members’’ replaces it.

Thanks

Mike
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33602811
That's not what's in the 2003 documentation, Mike.

When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added.

Also note that the member list for a restricted group that has no members is: <This group should contain no members>

I'm curious to where the option is to add a member to what's there.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33602834
What you need is probably GP Preferences. But that's not the same as restricted groups.

http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html (replace Desktop with Server)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33603835
@Rant32 You can do it using just restricted groups

Please look at Florian's blog   http://www.frickelsoft.net/blog/?p=13

Test it yourself using both methods....they both work and I've used both.

Yes GPP also does this but so does normal restricted groups.

"This group is a member of" -- adds to what is there

...again don't take my word for it...try it/test it

Thanks

Mike
0

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now