+ Post New Thread
Results 1 to 11 of 11
Windows Server 2008 R2 Thread, best way to set local admins in Technical; Hi, I've noticed that all our PCs have a default list of local administrators. This has been done via group ...
  1. #1
    mrstrong's Avatar
    Join Date
    Nov 2010
    Location
    England
    Posts
    58
    Thank Post
    21
    Thanked 4 Times in 4 Posts
    Rep Power
    8

    best way to set local admins

    Hi,

    I've noticed that all our PCs have a default list of local administrators.

    This has been done via group policy: the GPO is linked at the domain
    so effects all OUs and uses "Restricted Groups" with just one group:
    Administrators.

    Looking at it's properties I see under "Members of this group"
    a list of users/groups.

    I need more fine grained control and am not sure on the best way to approach it?

    If I delete this "Restricted Groups" setting from the GPO which applies at the domain level
    what will happen ?
    Will local admins revert to whatever they where previously on each PC or will they just stay as is?

    Should I set "Restricted Groups" via another GPO at a lower level OU e.g. using inheritance ?

    Thanks

  2. #2
    mrstrong's Avatar
    Join Date
    Nov 2010
    Location
    England
    Posts
    58
    Thank Post
    21
    Thanked 4 Times in 4 Posts
    Rep Power
    8
    Anybody use restricted groups ?

  3. #3

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    797
    Thank Post
    180
    Thanked 61 Times in 58 Posts
    Rep Power
    35
    We use restricted groups for local administrators for many Reasons. For one it's a quick way to give someone the ability to install specific software on their workstation without compromising the whole system by making them Domain Admins which I have seen
    Last edited by Davit2005; 10th February 2014 at 03:23 PM.

  4. #4
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,801
    Thank Post
    215
    Thanked 265 Times in 215 Posts
    Rep Power
    68
    Not sure what your doing but GPP can edit local accounts. I use this to disable some old local accounts and set the administrator password incase some pupil figures out how to hack the local admin password... it'll set it right back

  5. #5


    Join Date
    Sep 2008
    Posts
    1,785
    Thank Post
    329
    Thanked 260 Times in 212 Posts
    Rep Power
    120
    Generally If you make a change through GP the clients will hold that setting until it is changed again. If you want to see what happens when you make changes on a GPO you can always disable rather than delete it. That way should you accidentally lock yourself out of something you can always re-enable the GPO and reboot the client.

    If you want to test some GPO settings create a test OU and move a client & Test User into that and create a new GPO there. Once testing is done you can either add it to specific OU or further up the chain to apply to more Objects.

  6. Thanks to penfold from:

    mrstrong (12th February 2014)

  7. #6
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    1,013
    Thank Post
    42
    Thanked 84 Times in 80 Posts
    Rep Power
    22
    Yep test, test. You can create a gpo with restricted groups, add a ad group l. Then apply it to a ou with the pcs the user/s need to be administrator of.

  8. #7
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    485
    Thank Post
    44
    Thanked 74 Times in 69 Posts
    Rep Power
    21
    Quote Originally Posted by chazzy2501 View Post
    Not sure what your doing but GPP can edit local accounts. I use this to disable some old local accounts and set the administrator password incase some pupil figures out how to hack the local admin password... it'll set it right back
    Someone pointed out to me that is a bad idea as someone can edit the XML files and see the password in plain text

  9. #8
    mrstrong's Avatar
    Join Date
    Nov 2010
    Location
    England
    Posts
    58
    Thank Post
    21
    Thanked 4 Times in 4 Posts
    Rep Power
    8
    ok thanks all,
    I'll do some testing and then if looks ok I'll probably edit the GPO linked at the domain level so the Administrators group
    has only proper admin members e.g. Domain admins
    Then link a new GPO with a restricted groups setting to a lower down OU e.g. "office computers" with say "office staff" in administrators group

  10. #9
    mrstrong's Avatar
    Join Date
    Nov 2010
    Location
    England
    Posts
    58
    Thank Post
    21
    Thanked 4 Times in 4 Posts
    Rep Power
    8
    Looks ok after testing. Made some notes as I went along:

    Disabled GPO link at domain. then after a gpupdate and machine reboot I see local admins are back to old values
    Can check members via "net localgroup administrators"
    So re-enabled link but tweaked members of BUILTIN\Administrators
    Linked a new GPO at lower down OU but used caution as "last writer wins" (not merged)
    Decided to create a “NewGroup” with extra admin users in and added it as restricted group
    then added it as a "member of" Administrators

  11. #10
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,801
    Thank Post
    215
    Thanked 265 Times in 215 Posts
    Rep Power
    68
    Quote Originally Posted by MordyT View Post
    Someone pointed out to me that is a bad idea as someone can edit the XML files and see the password in plain text
    Humm, I don't think so. Here is the display of the XML from one of my local accounts:

    Code:
    <User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="test" image="2" changed="2011-02-08 15:25:48" uid="{BC12EEED-5D85-4B22-8ADB-CB4384E06685}"><Properties action="U" newName="" fullName="" description="I've been updated by GPOP" cpassword="X9TRYzbd48xabczRWha2i+AxxstcqhZE9nZeJc4/MKeMXtwCoQ0hkb8Zg0XIH/P87" changeLogon="1" noChange="0" neverExpires="0" acctDisabled="1" subAuthority="" userName="test"/></User>
    I've changed the password a bit but not made it longer just swapped out some chars.

    It's may be reversible but not quite plain text. You'd need hard drive access to see it anyway and I think anything less than whole drive encryption won't help that.

  12. #11
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    485
    Thank Post
    44
    Thanked 74 Times in 69 Posts
    Rep Power
    21
    Quote Originally Posted by chazzy2501 View Post
    Humm, I don't think so. Here is the display of the XML from one of my local accounts:

    I've changed the password a bit but not made it longer just swapped out some chars.

    It's may be reversible but not quite plain text. You'd need hard drive access to see it anyway and I think anything less than whole drive encryption won't help that.
    Just to make sure we are talking about the same thing....

    You are using GPP to set a local password on a machine. You edited the XML file in the sysvol folder on the server and that's what it showed?

    And, I would be more then happy to destroy any misconceptions you have about preventing users from being able to access the c drive.
    Last edited by MordyT; 13th February 2014 at 05:23 AM.

SHARE:
+ Post New Thread

Similar Threads

  1. [iPad] Best way to set up 30 ipads
    By deano3693 in forum Netbooks, PDA and Phones
    Replies: 2
    Last Post: 18th July 2013, 10:14 AM
  2. Replies: 13
    Last Post: 11th March 2013, 07:45 PM
  3. Best way to set up papercut client around a CC4 network
    By andyturpie in forum Network and Classroom Management
    Replies: 6
    Last Post: 8th November 2012, 04:39 PM
  4. Offline files, best way to set these up
    By jimmy_2k in forum Windows
    Replies: 4
    Last Post: 22nd June 2010, 08:55 AM
  5. Replies: 18
    Last Post: 14th October 2008, 05:41 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •