IT Staff Group Memberships for Workstation Setup

Fred Marshall
Fred Marshall used Ask the Experts™
on
I tried earlier to get the needed information on this at: https://www.experts-exchange.com/questions/29156187/Assigning-Rights-in-a-small-domain.html
I didn't quite get what I needed and had to press on.
I now have a couple of IT folks who are set up as Account Operators at least.
But this isn't adequate for them to get the Windows Firewall Rules set up on a new computer.
I've only been able to do that as a Domain Admin - which I don't want to do and don't want THEM to do.

What minimum Membership (or other settings or privileges) do I need to give them to be able to adjust the firewall (and other things in setting up a new workstation?).
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Account operators manage user account.
Server operators get system access.
You could use GPO with a sevurity group that is added as local admin on workstations.
Restricted group.

Firewall settings can be managed through GPO
kevinhsiehNetwork Engineer

Commented:
Yes, they need to be a local admin on the workstation.

Use Group Policy restricted groups to make them local admin.

Start with a pc in a test OU to test the GPO before deoying to be rest of the organization.

Author

Commented:
Thanks!  
I've already done that .....
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Distinguished Expert 2017

Commented:
Which? Restricted group and assigning these individuals as local admin's on workstations?
Or use GPO to control firewall settings on workstations?

Or if you have an enterprise anti/virus security app, it would have a centralized way to control the clients installed on each workstation.

Author

Commented:
"Use Group Policy restricted groups to make them local admin" is what has been set up.
Since this is a new computer setup, and I'm not doing the hands-on work, wonder about things like gpupdate?
Distinguished Expert 2017

Commented:
gpupdate is a way to trigger a refresh, though a system refreshes when it is booted.
I.e. If you want to test, using gpupdate /force will direct the system to refresh gpos for computer and loged in user.
On change, the user will need to logout for the changes, or the system rebooted for computer GPO.

Using gpmc on a server and the group policy wizard, you can see how and whether the gpos will be reflected on a system and a loged in user.

The report will indicate which GPO is applied, which settings from which GPO control.

Peace default domain policy and default domain controller policy alone.
To add settings it is often better to create specific, descriptively named gpos
This is also to avoid conflicting settings in multiple gpos.

Author

Commented:
Since I'm using the GPO, is there a good command to see the effect of the result for a User on a workstation?
It would be useful to be able to ask: "Does this user have local admin privileges?"  It doesn't show up using
net user username /domain
and looking in the Local Group Memberships.
I'm not too surprised in view of how it's made to happen.
Maybe there's a simple test as compared to a "question" via a command, eh?
Distinguished Expert 2017

Commented:
Thou have to use the group policy management console (administrative tool) it is an installable feature.
Within gpmc, look for group policy wizard
There is the group policy planner wizard that provides a way for hypothetical ..

In the group policy wizard, you can select the computer/workstation from the AD against which object it will run, on the second screen deals with which user on the user GPO you wish to check.

The result will be a representation of the application of computer and user gpos on the ......

The results include the representation of the settings and then you can see whether the setting of interest is applied and if not potentially another GPO sets the setting before the GPO you thought will set the setting.
Distinguished Expert 2017
Commented:
Thank you both!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial