[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Giving local admin permissions rather than domain admin rights

Posted on 2010-09-03
10
Medium Priority
?
854 Views
Last Modified: 2012-06-27
I was just hired on as a contractor at this company (it's a contract-to-hire). They have approx. 300 servers in the environment, virtual and physical. There are a mix of Windows Server 2003 and 2008 all in Standard, Enterprise, and R2 or each.

Currently they only have domain admin rights for the systems admins. They would like to be able to give me (and future contractors) local admin rights on about 200 of the servers, the other 100 are regulated and thus they do not give contractors access to those servers.

The question is this: How can they provide me local admin rights on the 200 selected servers without giving domain admin rights and without having to give local admin rights to each individual server one at a time?
0
Comment
Question by:ajhoy26
10 Comments
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33598355
On each of the servers, you can add a Domain Group to the local administrators group of the local machine.  You could then just add all the contractors to that domain group.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 33598398
yeah one by one would suck.  You can use restricted groups

Florian has a great blog entry on it here

http://www.frickelsoft.net/blog/?p=13

As you can see


‘’Memberof’’ adds a group, ‘’Members’’ replaces it.  (Florian explains it all)

Thanks

Mike
0
 
LVL 12

Expert Comment

by:FDiskWizard
ID: 33598657
You need a nifty script... I've seem them in the past.. Ah, there was one post here a while back:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24565963.html
Change group name, and create the .txt file....


Const ForReading = 1
 
Set oFS = CreateObject("Scripting.FileSystemObject")
Set oNet = CreateObject("wscript.network")
 
sDomain = oNet.UserDomain
sDomainGroup = "DOMAIN GROUP HERE"
sLocalGroup = "Administrators"
 
Set oTextFile = oFS.OpenTextFile("C:\servers.txt", ForReading)
 
Do While oTextFile.AtEndOfStream <> True
      sComputer = oTextFile.ReadLine
      
      Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")
      Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")
      
      oLocalGroup.Add(oDomainGroup.AdsPath)
 
Loop
 

 
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 57

Expert Comment

by:Mike Kline
ID: 33598872
Why would you use a script instead of restricted groups?
Thanks
 
Mike
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33599344
Restricted groups override any manual configuration of the local Administrators groups, if present.

Using Restricted Groups is certainly the least effort to implement via Group Policy, but you should do a thorough check on existing Administrators groups on the servers to make sure nothing breaks if members have been added manually, for example service accounts.
0
 
LVL 5

Expert Comment

by:TechnicallyMaybe
ID: 33599516
I agree the best route is definitely put these 200 servers in an OU and create a group policy using restricted groups to add a global group called contractors to the local administrators group.  The add the contractors user accounts to the global group.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33599962
"Restricted groups override any manual configuration of the local Administrators groups, if present."

That is not true, restrictive groups can either override or add to what is there

‘’Memberof’’ adds a group, ‘’Members’’ replaces it.

Thanks

Mike
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33602811
That's not what's in the 2003 documentation, Mike.

When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added.

Also note that the member list for a restricted group that has no members is: <This group should contain no members>

I'm curious to where the option is to add a member to what's there.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33602834
What you need is probably GP Preferences. But that's not the same as restricted groups.

http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html (replace Desktop with Server)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33603835
@Rant32 You can do it using just restricted groups

Please look at Florian's blog   http://www.frickelsoft.net/blog/?p=13

Test it yourself using both methods....they both work and I've used both.

Yes GPP also does this but so does normal restricted groups.

"This group is a member of" -- adds to what is there

...again don't take my word for it...try it/test it

Thanks

Mike
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question