Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Giving local admin permissions rather than domain admin rights

Posted on 2010-09-03
10
Medium Priority
?
851 Views
Last Modified: 2012-06-27
I was just hired on as a contractor at this company (it's a contract-to-hire). They have approx. 300 servers in the environment, virtual and physical. There are a mix of Windows Server 2003 and 2008 all in Standard, Enterprise, and R2 or each.

Currently they only have domain admin rights for the systems admins. They would like to be able to give me (and future contractors) local admin rights on about 200 of the servers, the other 100 are regulated and thus they do not give contractors access to those servers.

The question is this: How can they provide me local admin rights on the 200 selected servers without giving domain admin rights and without having to give local admin rights to each individual server one at a time?
0
Comment
Question by:ajhoy26
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33598355
On each of the servers, you can add a Domain Group to the local administrators group of the local machine.  You could then just add all the contractors to that domain group.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 33598398
yeah one by one would suck.  You can use restricted groups

Florian has a great blog entry on it here

http://www.frickelsoft.net/blog/?p=13

As you can see


‘’Memberof’’ adds a group, ‘’Members’’ replaces it.  (Florian explains it all)

Thanks

Mike
0
 
LVL 12

Expert Comment

by:FDiskWizard
ID: 33598657
You need a nifty script... I've seem them in the past.. Ah, there was one post here a while back:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24565963.html
Change group name, and create the .txt file....


Const ForReading = 1
 
Set oFS = CreateObject("Scripting.FileSystemObject")
Set oNet = CreateObject("wscript.network")
 
sDomain = oNet.UserDomain
sDomainGroup = "DOMAIN GROUP HERE"
sLocalGroup = "Administrators"
 
Set oTextFile = oFS.OpenTextFile("C:\servers.txt", ForReading)
 
Do While oTextFile.AtEndOfStream <> True
      sComputer = oTextFile.ReadLine
      
      Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")
      Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")
      
      oLocalGroup.Add(oDomainGroup.AdsPath)
 
Loop
 

 
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 33598872
Why would you use a script instead of restricted groups?
Thanks
 
Mike
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33599344
Restricted groups override any manual configuration of the local Administrators groups, if present.

Using Restricted Groups is certainly the least effort to implement via Group Policy, but you should do a thorough check on existing Administrators groups on the servers to make sure nothing breaks if members have been added manually, for example service accounts.
0
 
LVL 5

Expert Comment

by:TechnicallyMaybe
ID: 33599516
I agree the best route is definitely put these 200 servers in an OU and create a group policy using restricted groups to add a global group called contractors to the local administrators group.  The add the contractors user accounts to the global group.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33599962
"Restricted groups override any manual configuration of the local Administrators groups, if present."

That is not true, restrictive groups can either override or add to what is there

‘’Memberof’’ adds a group, ‘’Members’’ replaces it.

Thanks

Mike
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33602811
That's not what's in the 2003 documentation, Mike.

When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added.

Also note that the member list for a restricted group that has no members is: <This group should contain no members>

I'm curious to where the option is to add a member to what's there.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33602834
What you need is probably GP Preferences. But that's not the same as restricted groups.

http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html (replace Desktop with Server)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33603835
@Rant32 You can do it using just restricted groups

Please look at Florian's blog   http://www.frickelsoft.net/blog/?p=13

Test it yourself using both methods....they both work and I've used both.

Yes GPP also does this but so does normal restricted groups.

"This group is a member of" -- adds to what is there

...again don't take my word for it...try it/test it

Thanks

Mike
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question