Solved

Best way to delegate permissions to admins in a different AD Site

Posted on 2012-03-29
22
701 Views
Last Modified: 2012-06-29
hello all,
We have a single forest/single domain AD setup in the UK.

We've recently built a new physical site in America. We've grouped all user, computer & other relevant accounts in seperate OU's dedicated to the new USA site.
This site has DC's, Exchange 2010, F&P, Hyper-V and TMG server setup. All run Windows 2008 R2 native mode.

We've created it as an AD site.

We have a couple of admins in the new USA office. These guys are 'lower level' admins and can not have any rights outside of these dedicated OU's at all. They cannot therefore have domain admin rights but still need to manage all server and client day-to-day tasks.

I have so far
- Created a security group for the two of them.
- I have added this group to each server so they can remote Desktop to them.
- I have given them full delegated permisison rights to the OU's in question.
- I have created a basic Exchange 2010 role group for them.

Some issues I have still are;
- I need them to be able to log on to all client computers and have full rights (similar to being a domain admin).
- I need them to be able to log onto all servers and be able to shutdown or restart them (without making them local admin group members if possible).
- They MUST NOT have any rights to any object outside of their OU's.

Is it possible to create a 'custom domain admin' group with reduced rights?
I would appreciate any and all help you can provide on this. I'm thinking it may have been easier if I created a seperate child domain although, for a small site yet to develop, it may have been overkill at this stage.

thnaks, regards
0
Comment
Question by:UBB
  • 10
  • 9
22 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 37784420
You can delete the ability to manage their own group policies.
http://technet.microsoft.com/en-us/magazine/gg416505.aspx

They can use restricted groups to add themselves in as members of the local administrators groups.
http://www.expta.com/2011/02/adding-users-to-local-security-groups.html

The servers probably need to be in an OU outside of their full control so that they don't add themselves in as administrators. If making them members of the Server Administrators via using restricted groups gives them too much power, you can actually give them the specific rights to logon via RDP, logon locally, and shutdown system. All can be done via GPO.
0
 

Author Comment

by:UBB
ID: 37795534
Hello Kevinhsieh,
thanks for your response.
With the second link on restrcited groups, that was the most helpful. It was a little confusing to get a grip on so can you please check if I have done this correctly?

Check screenshots applied. The blanked out bits are the domain name.

- 2 admin guys are members of sec group GL-USA Delegation Control
- I want them to be local Administrator members on all client PC's
- I have applied the GPO to the OU that contains all the new computers for the 2 admins to manage. This OU does not contain any servers.

Note that I have made them members of the local Administrator groups on most of their servers in their AD site.
They are server admins on the DC's and backup operators on the TMG server so they have no access to TMG itself.

Appreciate if you can confirm the GPO side.
thanks
RestrictedGroups.pdf
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 37797865
The problem with your settings as I see it is that you have REMOVED Domain Admins from the local administrators group. This can be solved in two ways - make Domain Admins a member of GL-USA Delegation Control, or my preference is to make Domain Admins an explicit member of Administrators by adding Domain Admins as part of the GPO.
0
 

Author Comment

by:UBB
ID: 37800181
Hello
sorry Kevin.. you've erm kind of lost me now....

Could you possibly show me a screenshot of how I should set up the Restricted Groups GPO setting?

is 'domain admins' group a part of the 'local/built in' administrators group?

I think you are saying that the security group with the 2 admins should be made members of the local admin group but, the local admin group needs t be a member of the Domain amdins group.
If that's the case, would that not then give them domain admin rights to the domain from any machine???

thanks, regards
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 37802375
Domain Admins WAS part of the local/built-in administrators group, which is what made Domain Admins local administrators on the machines. Your GPO REMOVED Domain Admins from the local administrators group, which means that a Domain Admin is no longer a local administrator.

The fix is to edit your GPO and also include Domain Admins as part of the membership of the local administrators group. I can dig up a screenshot later if you wish.

A local group can not be made a member of a domain group.
0
 

Author Comment

by:UBB
ID: 37802626
hello please do provide a screenshot. I need to be exact in this and will need to test to ensure the admins don't have dom admin rights at any point.

thanks for your help so far.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 37803071
Just look at the group membership in ADUC for Domain Admins. What you see will be the domain admins. Attached are the screen shots that I have for one of my GPOs that defines the local administrators. I have included the local administrator account. Otherwise, the local account called Administrator will no longer have Administrators membership and will no longer have administrative rights. The second screenshot shows that I have added Domain Admins to the Training WS Admin group, which is how Domain Admins become administrators on the machines.
ScreenShot003.png
ScreenShot004.png
0
 

Author Comment

by:UBB
ID: 37831913
Hello
I'm getting very fllustered with this as I can't get it to work.
Please see attached where I have made a change similar to yours to make the restricted group a member of the domain admins group.

In theory, this leads me to believe that when one of the USA admins logs onto a client PC, the restricted group GPO makes them a member of the local administrators group on that client PC with, the group being part of Domain Admins only whilst they are logged onto local client machines???

If one of the admins tries to install software on a client PC they get 'Requested Operation requires elevation'. This has thrown me completely.
They must only have LOCAL ADMINISTRATIVE rights to any client PC they log onto (all client PC's in same OU parent).

I've also read that RG GPO's must be applied to computer accounts. Is that correct? in which case I need to add all computer accounts under heading 'Security Filtering' in the GPO.


Have I got it all wrong?
It's this one thing I need to resolve before visiting site and handing over all the kit.

Appreciate any further help you can provide/clarify.

thanks, regards
RestrictedGroup-2.pdf
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 37834427
You are not doing what I described. You should NOT be configuring the Administrators group to be a member of anything. The Administrators group should have members, but should not be a member of any groups.

The GPO needs to apply to the OU(s) containing the computer objects. It has no effect on user objects. If your computers are all in the same OU, you don't need security filtering, you only need to apply it to the OU that contains your PCs in USA. I assume that they are in a different OU from your European PCs.

Requested Operation requires elevation is normal for Windows Vista/7 with UAC set to the default. If the user has administrative rights, they need only to accept. If they don't have administrative rights, they would be asked for credentials.
0
 

Author Comment

by:UBB
ID: 37836874
Hello Kevin,
Maybe I'm just not getting this so I googled it and found a lot of simialr issues. Based on one of them I made some changes....

The GPO is applied to the OU that contains all the computer accounts (USA OU shown in
attachment).

in the attachment where I have 'BUILTIN/Administrators' under the 'Group' I have changed this to 'mydomain\GL-USA Delegation Group'

The 'Members of this group' is now empty.

The 'This group is a member of' now contains mydomain\Domain Admins.

This still does not work although I will ask them to check again to ensure its not a UAC prompt.


In ADUC 'Builtin' OU, ADMINISTRATORS group contains Domain Admins as a member.

In ADUC 'Users' OU, DOMAIN ADMINS group has 'Administrators' in the 'MEMBER OF' tab.


Am I on the right track now?
thanks, regards
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 
LVL 42

Expert Comment

by:kevinhsieh
ID: 37839625
I think that you are getting things backwards. The GPO should not be used to modify anything in ADUC. The Administrators group in ADUC is for your Domain Controllers. The Administrators group should not be a member of any groups.

Your GPO is backwards. There should be nothing specified for MEMBER Of. It should only specify Members. See attached screenshot.
ScreenShot019.png
0
 

Author Comment

by:UBB
ID: 37841511
Thanks for putting up with me :)

I've made changes again based on your screenshot and will get the US guys to check this afternoon.

regards
0
 

Author Comment

by:UBB
ID: 37870293
This still does not seem to be working. If anyone else can throw their own comments on this, I'm hoping it will click.

Is anyone aware of any other way of achieving full admin rights on client PC's without giving the IT admins domain admin access level?

thanks, regards
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 37872675
I can tell you that we are able to give users full admin rights to PCs without giving rights to the domain. Can you tell me why the screen shots I have posted are not translating to your environment? What you have posted doesn't look like what I am posting.
0
 

Author Comment

by:UBB
ID: 37873949
hello,
your last screenshot is exactly how I have the group setup up.
It may help if you can show me the 'scope' page of your example or confirm mine from previous screenshots.

I just can't work out what is going on and why it doesnt work for us.
regards
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 37873975
The GPO applies to the OU with the machines. There are no WMI or non-default security filters.
0
 

Author Comment

by:UBB
ID: 37890806
ok, made the changes back to default and will retest with the USA today.
thanks.
0
 

Author Comment

by:UBB
ID: 37915167
still doesn't work sadly. I've got a consultant in tomorrow so will see how things go.
regards
0
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 38125598
I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 38125599
Correct answer is #37784420 . All the rest is commentary on OP challenges with using restricted groups.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now