If your company is like most companies, you have users running as local administrators on their desktop. There are solutions to eliminate this need, which is a direction every company should make. When users run as local administrators, the IT staff has no control over that user or their desktop. In order for you to secure the local Administrators group on every desktop, you need to have some powerful tools to get the job done. There are typically three different tasks that you need to perform to secure this group, which we will cover in this article. Windows Server 2008 and Windows Vista SP1 (with the RSAT installed) provide amazing new controls that make these configurations a breeze!
Task 1 - Remove Domain User Account
The initial task of securing the local Administrators group is to ensure that the user no longer has membership in the group. This is easier said than done, since most companies have configured the user's domain account to have membership in this group at installation of the user's computer.
Consider a scenario where you have resolved the issue of having users running as local Administrator and now you need to remove the domain user accounts from the local Administrators group on every desktop in your environment. You only have 10,000 desktops, laptops, and remote users, so you only have a small task ahead of you (yeah right!).
If you create a script to perform this task, you are relying on the user to logoff and back on for the script to run. Not likely to happen on even half of the desktops, so you need another option.
As a perfect solution, you can use the Local Group - Group Policy Preference to accomplish the task within about 90 minutes of you implementing it. To get the job done, you simply need to edit a Group Policy Object (GPO) and configure the following policy: User Configuration\Preferences\Control Panel Settings\Local Users and Groups\New\Local Group, which will open up the New Local Group Properties dialog box, as shown in Figure 1.
Figure 1: Local Group GPP which allows you to control the membership of the local Administrators group
After you open up this property sheet, simply select the Remove the current user radio button. This will affect all user accounts that are in the scope of management of the GPO containing this setting. This setting will apply during the next Group Policy background refresh, which is under 90 minutes.
If you have not solved your issue with having users removed from the local Administrators group due to local applications requiring this setting, refer to http://www.windowsecurity.com/articles/Windows-Vista-Principle-Least-Privilege.html.
Task 2 - Add Domain Admins and Local Administrator
The next phase of your securing the local Administrators group is to ensure that the Domain Admins global group and the local Administrator account are both added to the local Administrators group in every desktop.
Many have attempted this by using the Restricted Groups policy that has been in Windows Active Directory Group Policy from the onset. The problem with this solution is that the Restricted Groups policy is a "delete and replace" policy, not an "append" policy. Thus, when you configure a policy to perform this task, you will wipe out the contents of the local Administrators group, replacing it with only these two accounts.
By using the Local Users and Groups policy that was described in Task 1, you can not only remove the current logged on user, but you can add in the two key accounts that will ensure you have the correct administrative privileges set on each desktop, as shown in Figure 2.
Figure 2: Appending the membership of the local Administrators group is easy
Task 3 - Remove Specific Accounts
The final stage of securing the local Administrators group is to ensure that only the correct accounts have membership. In many cases, there have been groups from the domain added to the local Administrators group to perform a specific task, complete a project, or perform maintenance. If these groups are no longer needed in the local Administrators group, you can simply remove them with the new Local Users and Groups policy.
In a similar fashion that you added the two accounts in task 2, you can add accounts to the policy that need to be removed. To do this, ensure that you select the "Remove from this group" option when you add the account to the policy, as shown in Figure 3.
Figure 3: Removing a specific user or group from the local Administrators group is possible
Now, you have complete control over the membership of the local Administrators group, even removing only the user and group accounts that should not be included.
Obtaining the Tools and the Rules
I have mentioned over and over the use of the Group Policy Preferences that come with Windows Server 2008 and Vista. In order for you to take advantage of these settings, you only need to have ONE of the following on your network:
- Windows Server 2008 Server
- Windows Vista SP1, with the Remote Server Administrative Toolset installed
Both of these operating systems come with the new and improved Group Policy Management Console and Group Policy Management Editor.
The settings that are included in the new Group Policy Preferences can apply to the following operating systems:
- Windows XP SP2 and higher
- Windows Server 2003 SP1 and higher
- Windows Vista SP1 and higher
- Windows Server 2008 and higher
Sorry, anything Windows 2000 does not apply!
For more information on Group Policy Preferences and RSAT, check out the following links:
- Windows Group Policy Resource Kit: Windows Server 2008 and Windows Vista
- Group Policy Preferences Frequently Asked Questions (FAQ)
- Microsoft Remote Server Administration Tools for Windows Vista (KB941314)
It is 100% true that IT has NO control over a desktop where the user has local administrative privileges. All companies need to get control back of the desktops, as well as secure the local Administrators group. These steps are now possible due to the Group Policy Preferences that come with Windows Server 2008 and Vista. With just a few clicks, you can gain 100% control over your desktops and the local Administrators group. The settings will apply in about 90 minutes, to all computers that are joined to the domain and are on the network. There are no requirements for users to logoff and back on... the policy settings just apply!