UBB
asked on
Best way to delegate permissions to admins in a different AD Site
hello all,
We have a single forest/single domain AD setup in the UK.
We've recently built a new physical site in America. We've grouped all user, computer & other relevant accounts in seperate OU's dedicated to the new USA site.
This site has DC's, Exchange 2010, F&P, Hyper-V and TMG server setup. All run Windows 2008 R2 native mode.
We've created it as an AD site.
We have a couple of admins in the new USA office. These guys are 'lower level' admins and can not have any rights outside of these dedicated OU's at all. They cannot therefore have domain admin rights but still need to manage all server and client day-to-day tasks.
I have so far
- Created a security group for the two of them.
- I have added this group to each server so they can remote Desktop to them.
- I have given them full delegated permisison rights to the OU's in question.
- I have created a basic Exchange 2010 role group for them.
Some issues I have still are;
- I need them to be able to log on to all client computers and have full rights (similar to being a domain admin).
- I need them to be able to log onto all servers and be able to shutdown or restart them (without making them local admin group members if possible).
- They MUST NOT have any rights to any object outside of their OU's.
Is it possible to create a 'custom domain admin' group with reduced rights?
I would appreciate any and all help you can provide on this. I'm thinking it may have been easier if I created a seperate child domain although, for a small site yet to develop, it may have been overkill at this stage.
thnaks, regards
We have a single forest/single domain AD setup in the UK.
We've recently built a new physical site in America. We've grouped all user, computer & other relevant accounts in seperate OU's dedicated to the new USA site.
This site has DC's, Exchange 2010, F&P, Hyper-V and TMG server setup. All run Windows 2008 R2 native mode.
We've created it as an AD site.
We have a couple of admins in the new USA office. These guys are 'lower level' admins and can not have any rights outside of these dedicated OU's at all. They cannot therefore have domain admin rights but still need to manage all server and client day-to-day tasks.
I have so far
- Created a security group for the two of them.
- I have added this group to each server so they can remote Desktop to them.
- I have given them full delegated permisison rights to the OU's in question.
- I have created a basic Exchange 2010 role group for them.
Some issues I have still are;
- I need them to be able to log on to all client computers and have full rights (similar to being a domain admin).
- I need them to be able to log onto all servers and be able to shutdown or restart them (without making them local admin group members if possible).
- They MUST NOT have any rights to any object outside of their OU's.
Is it possible to create a 'custom domain admin' group with reduced rights?
I would appreciate any and all help you can provide on this. I'm thinking it may have been easier if I created a seperate child domain although, for a small site yet to develop, it may have been overkill at this stage.
thnaks, regards
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The problem with your settings as I see it is that you have REMOVED Domain Admins from the local administrators group. This can be solved in two ways - make Domain Admins a member of GL-USA Delegation Control, or my preference is to make Domain Admins an explicit member of Administrators by adding Domain Admins as part of the GPO.
ASKER
Hello
sorry Kevin.. you've erm kind of lost me now....
Could you possibly show me a screenshot of how I should set up the Restricted Groups GPO setting?
is 'domain admins' group a part of the 'local/built in' administrators group?
I think you are saying that the security group with the 2 admins should be made members of the local admin group but, the local admin group needs t be a member of the Domain amdins group.
If that's the case, would that not then give them domain admin rights to the domain from any machine???
thanks, regards
sorry Kevin.. you've erm kind of lost me now....
Could you possibly show me a screenshot of how I should set up the Restricted Groups GPO setting?
is 'domain admins' group a part of the 'local/built in' administrators group?
I think you are saying that the security group with the 2 admins should be made members of the local admin group but, the local admin group needs t be a member of the Domain amdins group.
If that's the case, would that not then give them domain admin rights to the domain from any machine???
thanks, regards
Domain Admins WAS part of the local/built-in administrators group, which is what made Domain Admins local administrators on the machines. Your GPO REMOVED Domain Admins from the local administrators group, which means that a Domain Admin is no longer a local administrator.
The fix is to edit your GPO and also include Domain Admins as part of the membership of the local administrators group. I can dig up a screenshot later if you wish.
A local group can not be made a member of a domain group.
The fix is to edit your GPO and also include Domain Admins as part of the membership of the local administrators group. I can dig up a screenshot later if you wish.
A local group can not be made a member of a domain group.
ASKER
hello please do provide a screenshot. I need to be exact in this and will need to test to ensure the admins don't have dom admin rights at any point.
thanks for your help so far.
thanks for your help so far.
Just look at the group membership in ADUC for Domain Admins. What you see will be the domain admins. Attached are the screen shots that I have for one of my GPOs that defines the local administrators. I have included the local administrator account. Otherwise, the local account called Administrator will no longer have Administrators membership and will no longer have administrative rights. The second screenshot shows that I have added Domain Admins to the Training WS Admin group, which is how Domain Admins become administrators on the machines.
ScreenShot003.png
ScreenShot004.png
ScreenShot003.png
ScreenShot004.png
ASKER
Hello
I'm getting very fllustered with this as I can't get it to work.
Please see attached where I have made a change similar to yours to make the restricted group a member of the domain admins group.
In theory, this leads me to believe that when one of the USA admins logs onto a client PC, the restricted group GPO makes them a member of the local administrators group on that client PC with, the group being part of Domain Admins only whilst they are logged onto local client machines???
If one of the admins tries to install software on a client PC they get 'Requested Operation requires elevation'. This has thrown me completely.
They must only have LOCAL ADMINISTRATIVE rights to any client PC they log onto (all client PC's in same OU parent).
I've also read that RG GPO's must be applied to computer accounts. Is that correct? in which case I need to add all computer accounts under heading 'Security Filtering' in the GPO.
Have I got it all wrong?
It's this one thing I need to resolve before visiting site and handing over all the kit.
Appreciate any further help you can provide/clarify.
thanks, regards
RestrictedGroup-2.pdf
I'm getting very fllustered with this as I can't get it to work.
Please see attached where I have made a change similar to yours to make the restricted group a member of the domain admins group.
In theory, this leads me to believe that when one of the USA admins logs onto a client PC, the restricted group GPO makes them a member of the local administrators group on that client PC with, the group being part of Domain Admins only whilst they are logged onto local client machines???
If one of the admins tries to install software on a client PC they get 'Requested Operation requires elevation'. This has thrown me completely.
They must only have LOCAL ADMINISTRATIVE rights to any client PC they log onto (all client PC's in same OU parent).
I've also read that RG GPO's must be applied to computer accounts. Is that correct? in which case I need to add all computer accounts under heading 'Security Filtering' in the GPO.
Have I got it all wrong?
It's this one thing I need to resolve before visiting site and handing over all the kit.
Appreciate any further help you can provide/clarify.
thanks, regards
RestrictedGroup-2.pdf
You are not doing what I described. You should NOT be configuring the Administrators group to be a member of anything. The Administrators group should have members, but should not be a member of any groups.
The GPO needs to apply to the OU(s) containing the computer objects. It has no effect on user objects. If your computers are all in the same OU, you don't need security filtering, you only need to apply it to the OU that contains your PCs in USA. I assume that they are in a different OU from your European PCs.
Requested Operation requires elevation is normal for Windows Vista/7 with UAC set to the default. If the user has administrative rights, they need only to accept. If they don't have administrative rights, they would be asked for credentials.
The GPO needs to apply to the OU(s) containing the computer objects. It has no effect on user objects. If your computers are all in the same OU, you don't need security filtering, you only need to apply it to the OU that contains your PCs in USA. I assume that they are in a different OU from your European PCs.
Requested Operation requires elevation is normal for Windows Vista/7 with UAC set to the default. If the user has administrative rights, they need only to accept. If they don't have administrative rights, they would be asked for credentials.
ASKER
Hello Kevin,
Maybe I'm just not getting this so I googled it and found a lot of simialr issues. Based on one of them I made some changes....
The GPO is applied to the OU that contains all the computer accounts (USA OU shown in
attachment).
in the attachment where I have 'BUILTIN/Administrators' under the 'Group' I have changed this to 'mydomain\GL-USA Delegation Group'
The 'Members of this group' is now empty.
The 'This group is a member of' now contains mydomain\Domain Admins.
This still does not work although I will ask them to check again to ensure its not a UAC prompt.
In ADUC 'Builtin' OU, ADMINISTRATORS group contains Domain Admins as a member.
In ADUC 'Users' OU, DOMAIN ADMINS group has 'Administrators' in the 'MEMBER OF' tab.
Am I on the right track now?
thanks, regards
Maybe I'm just not getting this so I googled it and found a lot of simialr issues. Based on one of them I made some changes....
The GPO is applied to the OU that contains all the computer accounts (USA OU shown in
attachment).
in the attachment where I have 'BUILTIN/Administrators' under the 'Group' I have changed this to 'mydomain\GL-USA Delegation Group'
The 'Members of this group' is now empty.
The 'This group is a member of' now contains mydomain\Domain Admins.
This still does not work although I will ask them to check again to ensure its not a UAC prompt.
In ADUC 'Builtin' OU, ADMINISTRATORS group contains Domain Admins as a member.
In ADUC 'Users' OU, DOMAIN ADMINS group has 'Administrators' in the 'MEMBER OF' tab.
Am I on the right track now?
thanks, regards
I think that you are getting things backwards. The GPO should not be used to modify anything in ADUC. The Administrators group in ADUC is for your Domain Controllers. The Administrators group should not be a member of any groups.
Your GPO is backwards. There should be nothing specified for MEMBER Of. It should only specify Members. See attached screenshot.
ScreenShot019.png
Your GPO is backwards. There should be nothing specified for MEMBER Of. It should only specify Members. See attached screenshot.
ScreenShot019.png
ASKER
Thanks for putting up with me :)
I've made changes again based on your screenshot and will get the US guys to check this afternoon.
regards
I've made changes again based on your screenshot and will get the US guys to check this afternoon.
regards
ASKER
This still does not seem to be working. If anyone else can throw their own comments on this, I'm hoping it will click.
Is anyone aware of any other way of achieving full admin rights on client PC's without giving the IT admins domain admin access level?
thanks, regards
Is anyone aware of any other way of achieving full admin rights on client PC's without giving the IT admins domain admin access level?
thanks, regards
I can tell you that we are able to give users full admin rights to PCs without giving rights to the domain. Can you tell me why the screen shots I have posted are not translating to your environment? What you have posted doesn't look like what I am posting.
ASKER
hello,
your last screenshot is exactly how I have the group setup up.
It may help if you can show me the 'scope' page of your example or confirm mine from previous screenshots.
I just can't work out what is going on and why it doesnt work for us.
regards
your last screenshot is exactly how I have the group setup up.
It may help if you can show me the 'scope' page of your example or confirm mine from previous screenshots.
I just can't work out what is going on and why it doesnt work for us.
regards
The GPO applies to the OU with the machines. There are no WMI or non-default security filters.
ASKER
ok, made the changes back to default and will retest with the USA today.
thanks.
thanks.
ASKER
still doesn't work sadly. I've got a consultant in tomorrow so will see how things go.
regards
regards
![Avatar of Guy Hengel [angelIII / a3]](https://filedb.experts-exchange.com/files/public/2013/11/25/ddbe0ea6-aa6e-4279-b781-57b735dd3ea0.jpeg){kind=small}
I've requested that this question be deleted for the following reason:
The question has either no comments or not enough useful information to be called an "answer".
The question has either no comments or not enough useful information to be called an "answer".
Correct answer is #37784420 . All the rest is commentary on OP challenges with using restricted groups.
ASKER
thanks for your response.
With the second link on restrcited groups, that was the most helpful. It was a little confusing to get a grip on so can you please check if I have done this correctly?
Check screenshots applied. The blanked out bits are the domain name.
- 2 admin guys are members of sec group GL-USA Delegation Control
- I want them to be local Administrator members on all client PC's
- I have applied the GPO to the OU that contains all the new computers for the 2 admins to manage. This OU does not contain any servers.
Note that I have made them members of the local Administrator groups on most of their servers in their AD site.
They are server admins on the DC's and backup operators on the TMG server so they have no access to TMG itself.
Appreciate if you can confirm the GPO side.
thanks
RestrictedGroups.pdf