In the Windows XP era, System Administrators were forced to give end users local admin access on their desktop. Unfortunately, the end users got used to having this extra power and now that we are no longer forced to give them Admin access for political reasons we are now unable to take it away.
The question is how do you give end users local admin en masse without giving away the whole farm. I have seen in some organizations that the Domain Users have been added to the local admins group. The problem with this is that everyone who is a domain user will now have access to that workstation not just the actively logged in user. I have also seen in a couple of instances where “Everyone” was added to the Local Administrators group. This is a horrible security practice and should be avoided at all costs as your are allowing everyone authenticated or not full access to the system.
The easiest way to get all around all of this is to add the local “Interactive” user to the local admins. This will ensure that only the currently logged in user has local admin access to the computer. (and the domain admins of course).
Here at The RSC Group we are going through a standardization of processes and procedures. A lot of Group Policies are getting written, SCCM is in place for Software distribution and Software Updates etc.. As a result this issue came up and here is how we solved it.
1. We created a Active Directory OU in which to place the computer accounts of the workstations we wanted to manage.
2. We created a Group Policy Object (GPO) and applied it to the new OU that we created.
3. In that GPO we defined a “Startup” script that would add the “Interactive” user into the local admins.
This Startup Script that we added we stole from a Computing.Net forum see here
Here is the code:
Set oWshNet = CreateObject("WScript.Network")
‘Well Known Security Identifiers in Windows (Server) Operating Systems
‘http://support.microsoft.com/?id=243330sGroupSID = "S-1-5-32-544" ‘ Well Known SID of the group Administrators
sComputer = oWshNet.ComputerName
sDomainGroup = "Domain users"Set oWMIService = GetObject("winmgmts:\\" & sComputer & "\root\cimv2")
Set colItems = oWMIService.ExecQuery ("Select * from Win32_Group WHERE SID = ‘" & sGroupSID & "’")
For Each oItem in colItemssAdminGroup = oItem.Name
Next
Set objGroup = GetObject("WinNT://" & sComputer & "/" & sAdminGroup & ",group")‘ suppress errors in case group is already a member
On Error Resume Next‘finds localized name of the Interactive account
Set objSid = oWMIService.Get ("Win32_SID.SID=’S-1-5-4′")
DNPath = "WinNT://" & objSid.ReferencedDomainName & "/" & objSid.AccountName‘adds Interactiv group to local Administrators group
If NOT objGroup.IsMember(DNPath) Then objGroup.Add(DNPath)
‘if domain users are member of local admin group, remove it
Set localdomain = oWMIService.ExecQuery ("Select * from Win32_NTDomain")
For Each objItem in localdomain
DNPath = "WinNT://" & objItem.DomainName & "/" & sDomainGroup
If objGroup.IsMember(DNPath) Then objGroup.Remove(DNPath)
Next
4. We pasted this code into a notepad and saved it as “Localadmin.vbs” and added it to the GPO.
5. Send the target machines for a reboot and the actively logged in user will have local admin rights.