|
Controlling
Local Group Membership
The ITS-ECM
group recommends two methods of controlling
local group memberships. Both of these methods
use Group Policies Objects (GPO) to
automatically modify the memberships of local
computer's built-in security groups. A GPO can
be created and linked to the Organizational Unit
(OU) that contains the computer objects. The GPO
can use either the computer startup script(s)
portion of the GPO or the "Restricted Groups"
portion of the policy. The GPO will check and
update which users or groups are members of the
machine’s local groups at the next reboot. The
"Restricted Groups” method is less flexible
since it takes complete control over the local
group and therefore will remove the users or
groups you’ve added through other methods.
Scripts
The
following scripts are available in the Iowa
domain (\\iowa.uiowa.edu\shared\ntadmin\vbs)
-
AddAdmin.vbs will add
additional accounts to the local
administrators group
-
AddUser.vbs will add accounts
to the local "Users" group
-
RemoveDomAdmin.vbs will
remove "IOWA\Domain Admins" from the local
"Administrators" group
-
RemoveDefaultGroups.vbs will
remove "IOWA\Domain Users", Authenticated
Users, and INTERACTIVE from the "Users"
group.
To use the
scripts:
-
Open Active Directory Users
and Computers.
-
Browse to the OU that will
contain the computer account objects
-
Open "Properties"
-
Select the Group Policy Tab
-
Create a new Group Policy
Object
-
Edit the new object
-
In the Group Policy MMC,
browse to:
-
Computer
Configuration/Windows Settings/Scripts
-
Double Click Startup then Add
-
Type the script that you wish
to add:
-
Enter:
\\iowa.uiowa.edu\shared\ntadmin\vbs\<scriptname>
-
For the "Addxxx.vbs" scripts,
specify groups or users in the Script
parameters dialog box that you would like to
add
-
Example IOWA\bogus
IOWA\bogus-Group
-
Multiple users or groups
can be added by using a <space> between
the names
An example
for OU Administrators:
During the
process of joining a Windows computer to a
domain, the “Domain Admins” group is
automatically added to the local computer’s
Administrators group and the “Domain Users”
group is added to the local Users group. For OU
Admins that are not Domain Admins, they would
not be granted local admin access by this
action. Using the AddAdmin.vbs in a GPO with
IOWA\OUA-<department> as the script parameter
would take care of the problem.
Note:
The
AddUsers.exe utility which is included with the
Windows Resource Kit Another is another simple
way of controlling local group memberships using
the same GPO startup scripting method stated
above.
For more
information
http://support.microsoft.com/default.aspx?scid=kb;en-us;q199878
Restricted
Groups
To use restricted groups:
-
Open Active Directory Users
and Computers.
-
Browse to the OU that will
contain the computer account objects
-
Open "Properties"
-
Select the Group Policy Tab
-
Create a new Group Policy
Object
-
Edit the new object
-
In the Group Policy MMC,
browse to:
-
Computer
Configuration/Windows Settings/Security
Settings/Restricted Groups
-
Right-Click and choose "Add
Group"
-
The group name you enter will
be the group that is restricted
(Administrators)
-
Select the group and choose
Add a member to this group.
|
