Solved

Disallow group policy actions on local computer joined to domain

Posted on 2014-01-02
10
484 Views
Last Modified: 2014-01-19
Assuming we have a domain user acccount and the account is part of local Administrators group, post joining a Windows 7 Ent desktop to a 2003 domain, there is a need to accomplish the following:

- Disallow creation / addition of any other service or individual domain users / groups via Domain Admins and related group policies settings within AD.

Can this be accomplished using local windows firewall or group security policy settings to override domain administered policies ?
0
Comment
Question by:fahim
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 6

Expert Comment

by:ButlerTechnology
ID: 39751059
Is this user account a member of the local administrators on the Windows 7 box?  If so, the account only has broad privileges on the local windows 7 machine.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 39751060
I'm not sure if I understood you correctly but if this is regular user in the domain and only local administrator on your Windows 7 machine then this is not possible by deafult. Regular users cannot create/change/delete anything in a domain when they have no delegated rights for that.

User added into local administrators may only create local group/users on that Windows 7 machine only. And it is not possible to limit that user to not create local users/groups because he/she is a local administrator :) So, the only one option is to remove it from local administrators group

Regards,
Krzysztof
0
 

Author Comment

by:fahim
ID: 39751264
BT: Yes, the user account is a member of local admin on Win 7 box. The account should have broad previleges on local Win 7 machine and that's not an issue. The issue is, no one else should be able to add himself/ herself into the local admin group, not even those who have domain admin rights as the machine is part of and attached to domain. How can this user prevent domain admins from giving themelves or other domain users, elevated previleges on this machine.

iSeik: As related previously as an answer to BT's query, the need is to stop everyone across the IT system admins to do anything on this Win7 laptop without it's owners knowledge / explicit approval while keeping him attached to domain.


Basically, there is a laptop holding confidential info, that needs to be attached to domain but restricted from making changes applicable via domain wide group policy and even out of bounds from domain admins.

Local admin rights to be retained by machine owner who is also a domain user but added into local admin group and that's fine.
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 300 total points
ID: 39751273
OK, now it's much more clear for me :)

So, you can go with Group Policy Preferences (GPP) to manage that who can be a local administrator's group member
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

or go with the old path for 2003/XP with GPO and resticted groups
http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html

One of the above methods allow for that and no one would be able to add new local admins because GPO will overwrite that.

Krzysztof
0
 
LVL 3

Assisted Solution

by:Detlef001
Detlef001 earned 100 total points
ID: 39751277
Hey founded two links for you ..

Please refer the following.

http://goo.gl/y7Z8Lv

http://goo.gl/w5ycej

Thanks.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 6

Expert Comment

by:ButlerTechnology
ID: 39751306
In the long run, I don't think you can do what you are looking for.  You can use the group policy to manage the membership of the local admin, but the domain admins have the ability to alter group policy.  The group policy solution works if you are keeping honest people honest.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 100 total points
ID: 39751984
So you are not trusting your administrators when it comes to this machine/its contents? Then don't make it accessible to them, as simple as that - don't join it. Being on the domain will enable them to undo each and any protective setting. If however you decide to keep it joined and to modify the machine so that they cannot undo your measures, it will not be usable on the domain any more, no longer administrable due to these serious modifications. I am sure about this as I have seen this very type of question many times before.
0
 

Author Comment

by:fahim
ID: 39753136
Detlef: Your links seems promising, especially first one. The other one talks about certain scripts which probably are available only to university's staff members.

BT: I guessed that but thought there still maybe a way out hence I asked.

Mcknife: Disconnecting from domain is an option but I wouldn't want the user to loose out on his ability to print to domain authenticated printers and the user is a frequent traveller. Also, DHCP is AD integrated and the user doesn't get a valid IP that allows him into the right subnet and access email servers, AV servers etc., unless authenticated to domain.

iSeik: Will test the links out, can you re-confirm if your solution cannot be overidden by domain admins?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 39753214
No, it can be. Domain Admins is one of the most powerful groups in the domain. They will always be able to modify GPO

I would consider AD RMS if you have confidential data on that notebook and provide certificate only to those people who need an access to read/modify documents. Only in this case Domain Admins will not be able to do anything with data

Krzysztof
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39755233
If you main concern in the long run is monitor who, what and when changes are made in AD, the I suggest to invest in a enterprise wide monitor solution like Quest Change Auditor for Active Directory. When you it at my company and it is a "priceless" tool...

http://www.quest.com/changeauditor/
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now