Group Policy: Administrator Rights for Specific Users on Specific Computers

security permissions active-directory group-policy

I'm a programmer stuck trying to administer an Active Directory setup for a small company. The Domain Controller is running Windows Small Business Server 2008.

We have a staff of field workers using tablet PC's; configuration problems with the tablet's ThinkVantage bloatware will require these users to have Administrator right when using the tablets. That's alright – it's useful for them to have broad privileges when I'm walking them through a fix over the phone, so I'm not looking for a work-around there.

I would like to use Group Policy to set up the following scenario: The users in a particular security group (or organization unit) should be in the BUILTIN/Administrators group when logged in to computers in a certain security group (or organization unit). It's okay if the computers have to be in an OU, but I'd prefer to assign users by group.

Of course, the field workers shouldn't be Administrators on other workstations, and vanilla office staff shouldn't be Admins on the tablets.

Currently, this is being managed locally on each tablet, but as we add new hires, it's becoming more of a hassle.

I feel like Restricted Groups is the answer here, but without a solid grounding in AD concepts and methods, I'm having a hard time making it happen.

What is the proper technique for this task, and how would I go about implementing it?


Solution 1:

Create a group to encapsulate the users (Local-Admins-Tablets) and add them to this group

Create a sub-OU of the current workstations OU and put the tablets in here (Workstations\Tablets)

Create a GPO (Local-Admins-Tablets-Policy) and link it to the Workstations\Tablets OU

In the GPO, set the following:

  • Comp Config - Policies - Windows Settings - Security Settings - Restricted Groups
  • Right click, Add Group
  • "Administrators", OK
  • Members of this Group: myDomain\Local-Admins-Tablets

Reboot the PCs, and done.

Bear in mind that setting Restricted Groups will overwrite the machines existing list of local Administrators. If you have other users/groups in there already, you will need to add them to this policy too. Other examples would be myDomain\Domain Admins etc

EDIT: Oh, and change the filtering on the GPO and add Domain Computers. The easiest way to do this is to use the Group Policy Management MMC snapin (you can get this from the Remote Server Administration Tools from Microsoft)

Solution 2:

Izzy's answer is fine if you don't care that the Administrators group will effectively be locked out of future changes from the local machine. This will also wipe out any groups that were already members of the Administrators group before the policy setting was applied.

However, you can use the same policy setting in a slightly different way to bypass those annoyances (assuming you even consider them annoyances).

  • Create the OU/Group structure the same way as before
  • When you are in the Restricted Groups section of the group policy object, Add Group, but instead of specifying Administrators, specify YOURDOMAIN\Local-Admins-Tablets.
  • In the "This group is a member of" section, click Add and enter Administrators

It's a subtle but important difference in the way the two sections work. Members of this group effectively works out to be "Group A will only ever contain Groups X, Y, and Z". This group is a member of effectively works out to be "Make sure Group A is a member of Groups X, Y, and Z".

Once you've set policy with Members of this group, the only thing that can modify the group's membership is an overriding policy object that also uses Members of this group or any other policy using This group is a member of.

Solution 3:

It seems like all you really need to do is create a group policy that adds a Domain Group to the local administrators group. This is pretty easily to accomplish with a simple startup script or with the Group Policy Preferences.

Simple startup script to add group members.

DomainName="example"
Set oShell = WScript.CreateObject("WScript.Shell")
Set oProcsEnv = oShell.Environment("Process")
ComputerName = oProcsEnv("COMPUTERNAME")
Set oGroup = GetObject("WinNT://" & ComputerName & "/" & "Administrators")
If Not oGroup.IsMember("WinNT://"&DomainName&"/_Group_Tablet_Admins") Then _
    oGroup.Add ("WinNT://"&DomainName&"/_Group_Tablet_Admins")

Related

Linux server is only using 60% of memory, then swapping
KVM and virtual to physical CPU mapping
OS docker container: what is the difference with a VM then?
Adding port forwardings programmatically on a ControlMaster SSH session
What is wrong with my SSL trust chain?
Squid HTTPS Tunnelling using CONNECT very slow
Password expiration policies [closed]
Disabling rp_filter on one interface
Starting a script as another user
Auto-login in Windows Server 2008
Permissions issue with virtual directory to UNC path
Installing .Net 3.5 on Windows 2012 R2