+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
Windows 7 Thread, local administrator still locked down in Technical; On our new domain we are trying to lock down staff as much as possible on desktop PCs, but give ...
  1. #1
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    744
    Thank Post
    56
    Thanked 190 Times in 126 Posts
    Rep Power
    101

    local administrator still locked down

    On our new domain we are trying to lock down staff as much as possible on desktop PCs, but give them local administrator access on the laptop they are assigned. However, when I add their domain account to the local administrator group on the laptop, they are still affected by the domain GPOs - even off the network. Ideally I'd like them to be able to save on the desktop or in a folder on the C drive and be able to install a printer or program if necessary, but as they can't see the C drive and only get the redirected start menu, none of that is possible. Am I missing something obvious? I really don't want to loosen the GPOs that affect their use of shared machines.

  2. #2
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,993
    Thank Post
    120
    Thanked 286 Times in 263 Posts
    Rep Power
    107
    Use a loopback policy on the laptop OU and change the settings you want to change.

  3. #3
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    744
    Thank Post
    56
    Thanked 190 Times in 126 Posts
    Rep Power
    101
    The settings that are holding are set in the user policy, but I only want to undo them for one particular machine per user. Would a loopback policy allow me to do that? I've come from a RM background, and I'm on a very steep learning curve here. We're using Server 2012 R2 and SCCM if that helps.

  4. #4
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,993
    Thank Post
    120
    Thanked 286 Times in 263 Posts
    Rep Power
    107
    You set the policy on the machine OU and enable loopback policy processing and this will apply the user settings only on that OU that the computer account is in. To do it on multiple machines for single users would be quite messy but doable.

  5. Thanks to ChrisH from:

    clareq (18th June 2014)

  6. #5
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    744
    Thank Post
    56
    Thanked 190 Times in 126 Posts
    Rep Power
    101
    We have over 100 staff laptops - would we therefore need over 100 separate OUs? That seems very messy - there must be a better way.

  7. #6
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    1,058
    Thank Post
    45
    Thanked 86 Times in 81 Posts
    Rep Power
    23
    Put the laptops in a ou. Link the gpo. The restricted groups part of the GPO is not user but computer. Do the staff have to be local admins?

  8. Thanks to free780 from:

    clareq (18th June 2014)

  9. #7
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    744
    Thank Post
    56
    Thanked 190 Times in 126 Posts
    Rep Power
    101
    They need to be able to set up their home wireless and printing, save any work they've done at home to the Hard Drive, possibly install software for testing, that sort of thing. I want them locked down on any other machine they use - if they break their laptop due to their stupidity they only inconvenience themselves, on a shared machine they affect other users.

  10. #8
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,993
    Thank Post
    120
    Thanked 286 Times in 263 Posts
    Rep Power
    107
    So really they won't be using other staff members laptops?

  11. #9
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    744
    Thank Post
    56
    Thanked 190 Times in 126 Posts
    Rep Power
    101
    Probably not - there is some sharing going on, I'm sure, but our Laptop agreement does state they won't loan it to another member of staff. I see where you're coming from - a loopback to allow all staff elevated permissions on the staff laptops, on the basis it's their fault if they share it.

  12. #10
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,993
    Thank Post
    120
    Thanked 286 Times in 263 Posts
    Rep Power
    107
    Yup pretty much.

  13. #11
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    744
    Thank Post
    56
    Thanked 190 Times in 126 Posts
    Rep Power
    101
    I'll give it a go in the morning - thanks for the help

  14. #12

    Join Date
    Oct 2008
    Location
    Lincolnshire
    Posts
    2,272
    Thank Post
    13
    Thanked 235 Times in 223 Posts
    Rep Power
    69
    Quote Originally Posted by clareq View Post
    They need to be able to set up their home wireless and printing, save any work they've done at home to the Hard Drive, possibly install software for testing, that sort of thing. I want them locked down on any other machine they use - if they break their laptop due to their stupidity they only inconvenience themselves, on a shared machine they affect other users.
    All this can be done without giving them admin rights, just change the relevant GPO's. For the WLAN one you would only need to add them to network configuration group rather than local admins, as regards to printing that is quite easy as we used to let users play with printers settings to their hearts contents.

    If you do need to give them local admin rights create an AD group i.e. local laptop administrators and add them all to it and apply that, if they have admin rights on their own nothing stopping as such on others, but certainly you can fix all without giving them admin rights.

    Always work to the principle of least privilege.

  15. #13

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,215
    Thank Post
    893
    Thanked 1,773 Times in 1,529 Posts
    Blog Entries
    12
    Rep Power
    461
    Quote Originally Posted by ChrisH View Post
    Use a loopback policy on the laptop OU and change the settings you want to change.
    I wouldn't use Loop back i would use WMI filter. Have a separate policy for desktops and laptops.

  16. #14
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    744
    Thank Post
    56
    Thanked 190 Times in 126 Posts
    Rep Power
    101
    Can't use WMI - there are some shared laptops I want them to have restricted rights on.

  17. #15

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,215
    Thank Post
    893
    Thanked 1,773 Times in 1,529 Posts
    Blog Entries
    12
    Rep Power
    461
    Quote Originally Posted by clareq View Post
    Can't use WMI - there are some shared laptops I want them to have restricted rights on.
    Well then you would make a WMI filter that didn't apply to these laptops. Only make one that is applied to the ones that are not shared.
    Last edited by FN-GM; 19th June 2014 at 07:37 AM.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Local Administrator Lock Out Puzzle
    By spider6986 in forum Windows 7
    Replies: 6
    Last Post: 9th March 2011, 09:10 PM
  2. Replies: 8
    Last Post: 12th November 2006, 02:02 PM
  3. Not locked down enough!!!!!
    By manick in forum Windows
    Replies: 13
    Last Post: 13th October 2006, 05:02 PM
  4. Laptop Lock downs
    By lols in forum Hardware
    Replies: 16
    Last Post: 3rd May 2006, 07:34 PM
  5. Replies: 61
    Last Post: 14th November 2005, 08:27 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •