Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Name: RTAdams89
I want to make all my AD users in the "Domain users" group to the local "Power Users" group when they logon to a computer via group policy.
I am aware of the "Restricted Groups" section, which is what I want to use, but in my searches, there seems to be two very different views on the right way.
If I go to Computer Conf\igWindows Settings\Security Settings\ and then right-click “Restricted Groups” and choose “Add Group”, what should I type in "Add group" dialog box that pops up? Should it be the domain user group (such as "DOMAIN\Domain Users") or the local group (just "Power Users")?
Then, based on that answer, should edit the "Members of this group" or the "This group is a member of" list?
Again, I have searched and found a bunch of info, but the answers to the above two questions vary depending on the source.
-Ryan Adams
Free Computer Tips and more:http://RyanTAdams.com
Paid Tech Support: Black Diamond
Power users have a lot of control. You should consider keeping the users as low as possible. If they really do need power then make new users and give them two users and tell then to run as to do what they need.
Normally in a domain you don't let users log on locally but it is how you setup the system.
Playing to the angels
Les Paul (1915-2009)
0 
I understand the implications.
-Ryan Adams
Free Computer Tips and more:http://RyanTAdams.com
Paid Tech Support: Black Diamond
0
There are two ways for doing this. First is to write a script to update the local group at logon. This can work quite well. For example
addnew.bat
net user %1 password /add /homedir:\\<server>\users\%1 /scriptpath:login.bat /domain
net localgroup "<local group>" %1 /add
repeat for local groups
net group "<groups>" %1 /add /domain
repeat for global groups
xcopy \\<server>\users\template \\<server>\users\%1 /e
nltest /sync /server:BDCname
repeat for all BDCs you might be authenticating to
sleep 20
cacls \\<server>\users\%1 /e /r Everyone
remove the everyone permission to the directory
cacls \\<server>\users\%1 /g %1:F /e
cacls \\<server>\users\%1 /g Administrators:F /eor
The easiest way of doing this is using either vista/7 or 2008 server to create a new group policy. under the user config/preferences/control panel you can set local users and groups via GPO.
Your clients may need their client-side extension updating using the following kb article.
http://support.microsoft.com/kb/943729
Hope this helps,
Alex.
0
I would prefer to use Group Policy. Why do I need to use Vista/2008 to do that? The functionality exists in XP/2003 (and I believe even 2000)?
Again, I've found plenty of sources to explain how to do it with a GPO, but there seems to be a 50/50 split on what to name the group added to the Restrict Groups setting in the GPO. Some sites say to name it after the local group *in this case "Power Users" and then add the domain user group to the "members of this group" section, while other sites say to name it after the domain group (in this case DOMAIN\Domain Users) and then add the local group to the "this group is a member of" section. Which way is right?
-Ryan Adams
Free Computer Tips and more:http://RyanTAdams.com
Paid Tech Support: Black Diamond
0
Because one department runs a bunch of legacy programs (that control machinery in the shop) that don't work under a non-admin account. That department is in a OU, and I don't want to go to each computer and have to manually make each user a Power User.
It's a lot easier to justify making the users Power Users and investing in additional security measures, than it is to buy new industry specific software and machines...
-Ryan Adams
Free Computer Tips and more:http://RyanTAdams.com
Paid Tech Support: Black Diamond
0
Here is the way I use Restricted groups in my environment.
http://davidhazar.blogspot.com/2009/10/active-directory-group-policy.html
David Hazar
0
So, are you pulling us on what is the best way to set this up?
If so, my opinion is to name the groups with a name that does not describe what they have access to. If you setup an OU that says Power Users and a hacker gets into your system, the first thing they are going to do is add them selves to that group. This is why some people change the name on their Administrator user to something like John Smith to hide the defaults from hackers. The same would apply to OU Groups. In addition, once you have the groups setup then you would go in and remove the Domain Users from your shares and add the OU Groups in place. This way you don't have to worry about a hacker adding them selves to one of the restricted groups that you can not delete and gaining access that way.
The other concept to this kind of security is Honey Potting your groups. You make a groups called Elite Users (Which hackers can not refuse the word Elite or better yet l33t drives them cray) then you put bogus users in that group. Last you add it to your Shares as Deny. Now you can monitor the logs for someone trying to authenticate on that group and you know when a hacker is on your system.
There are MANY MANY ways to do this, this is just my stupid opinion. I am sure others will post theirs. You should have worded your subject like "I need Advice" and you would have gotten more takers.
0
If a hacker has access to make changes to my Active Directory, I am not so worried that he knows which groups to add himself to. He could look at the group policy objects and figure it out anyway. Why not just add himself to Domain or Enterprise Admins while he is at it?
There is always a trade-off between security and functionality/ease-of-use. Your point is noted though.
0  |
 |
 |
| Login or Register to Reply | |
| Login | Register |
| Ads by Google |
