Friday, March 30, 2007

Group Policy: Stop creating islands of customization – using Restricted Groups to Control Local User Manager

How are you managing local groups on end-user workstations? If you answer is “I’m not… “, have you let islands of customization create a security – and configuration mess? Or worse, if you have customers that you provide service to, have you extended your internal mess across your entire client-base?

First of all, you should be making every effort to avoid giving users local admin rights. But you already know that. And you’ve probably already read the whitepapers, called the software vendors, and used Process Monitor to watch for what applications are making what changes and where. But keep in mind that this isn’t limited to how you manage the local admin group – for instance, maybe “Domain Users” isn’t the appropriate group to be capable of logging into the Account Department computers. Whatever the case might be – how should you manage your local users and groups? Group policy.

I’m always surprised by how often I hear it said that you can’t manage lusrmgr.msc via Group Policy. Because you can! And you really should be doing so. Take a look at restricted groups. Now, I know, the KB article isn’t all that great. Indeed, the fact that you use restricted groups to manage local users and groups is conspicuously missing. So look here for more information. Keep in mind that “Members of this group” lets you add groups or individual users, which define the local groups that you identify.

Now go and test it out with Virtual PC or something, before you try to implement it. Because it can be confusing – and Group Policy (thankfully) overrides existing local settings. So go create new OU in AD, make sure your test workstation lives below that OU, and scope a GPO that applies to the computer policy, at this location (GPO_name\Computer Configuration\Windows Settings\Security Settings\Restricted Groups\). Tweak it and get it right. Then you can go back and do an audit of who is already a member of what local groups (making sure it appropriate) and build a policy that reflects that reality.

1 comment:

Anonymous said...

Now consider combining the above, with this for better management of local admin rights.