Solved

Giving local admin permissions rather than domain admin rights

Posted on 2010-09-03
10
844 Views
Last Modified: 2012-06-27
I was just hired on as a contractor at this company (it's a contract-to-hire). They have approx. 300 servers in the environment, virtual and physical. There are a mix of Windows Server 2003 and 2008 all in Standard, Enterprise, and R2 or each.

Currently they only have domain admin rights for the systems admins. They would like to be able to give me (and future contractors) local admin rights on about 200 of the servers, the other 100 are regulated and thus they do not give contractors access to those servers.

The question is this: How can they provide me local admin rights on the 200 selected servers without giving domain admin rights and without having to give local admin rights to each individual server one at a time?
0
Comment
Question by:ajhoy26
10 Comments
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33598355
On each of the servers, you can add a Domain Group to the local administrators group of the local machine.  You could then just add all the contractors to that domain group.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 33598398
yeah one by one would suck.  You can use restricted groups

Florian has a great blog entry on it here

http://www.frickelsoft.net/blog/?p=13

As you can see


‘’Memberof’’ adds a group, ‘’Members’’ replaces it.  (Florian explains it all)

Thanks

Mike
0
 
LVL 12

Expert Comment

by:FDiskWizard
ID: 33598657
You need a nifty script... I've seem them in the past.. Ah, there was one post here a while back:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24565963.html
Change group name, and create the .txt file....


Const ForReading = 1
 
Set oFS = CreateObject("Scripting.FileSystemObject")
Set oNet = CreateObject("wscript.network")
 
sDomain = oNet.UserDomain
sDomainGroup = "DOMAIN GROUP HERE"
sLocalGroup = "Administrators"
 
Set oTextFile = oFS.OpenTextFile("C:\servers.txt", ForReading)
 
Do While oTextFile.AtEndOfStream <> True
      sComputer = oTextFile.ReadLine
      
      Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")
      Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")
      
      oLocalGroup.Add(oDomainGroup.AdsPath)
 
Loop
 

 
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 33598872
Why would you use a script instead of restricted groups?
Thanks
 
Mike
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33599344
Restricted groups override any manual configuration of the local Administrators groups, if present.

Using Restricted Groups is certainly the least effort to implement via Group Policy, but you should do a thorough check on existing Administrators groups on the servers to make sure nothing breaks if members have been added manually, for example service accounts.
0
 
LVL 5

Expert Comment

by:TechnicallyMaybe
ID: 33599516
I agree the best route is definitely put these 200 servers in an OU and create a group policy using restricted groups to add a global group called contractors to the local administrators group.  The add the contractors user accounts to the global group.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33599962
"Restricted groups override any manual configuration of the local Administrators groups, if present."

That is not true, restrictive groups can either override or add to what is there

‘’Memberof’’ adds a group, ‘’Members’’ replaces it.

Thanks

Mike
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33602811
That's not what's in the 2003 documentation, Mike.

When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added.

Also note that the member list for a restricted group that has no members is: <This group should contain no members>

I'm curious to where the option is to add a member to what's there.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33602834
What you need is probably GP Preferences. But that's not the same as restricted groups.

http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html (replace Desktop with Server)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33603835
@Rant32 You can do it using just restricted groups

Please look at Florian's blog   http://www.frickelsoft.net/blog/?p=13

Test it yourself using both methods....they both work and I've used both.

Yes GPP also does this but so does normal restricted groups.

"This group is a member of" -- adds to what is there

...again don't take my word for it...try it/test it

Thanks

Mike
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question