none
Removing User Admin Rights

    Question

  • I am currently assisting in managing a domain of 3-4000 users. All of our users have administrative privileges on their machines. We are looking into several different ways of removing these administrative rights for obvious security reasons.

    I have read about privilege management software like Avecto, but it would be great if you could utilize something like Restricted Groups in Active Directory or SCCM 2012R2 to achieve this somehow.

    I read about Restricted Groups here:

    http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html

    I am wondering if we can achieve this by deploying these Restricted Group GPO's.  I understand that these GPO's are linked to computer accounts though, but from what I am under the impression I can restrict adding accounts to the admin group and explicitly allow other accounts.

    Our AD functional level is 2008R2 and 99% of our workstations are running Win7 32-bit.  Has anyone had any experience removing user administrative rights without purchasing third-party software?

    Friday, April 24, 2015 8:46 PM

Answers

  • We are in the process of deploying Avecto Privilege Guard (new name is DefendPoint).
    We are doing this in conjunction with revising our GPP-Local Users & Groups settings (which we decided to use some time ago, instead of using classic Restricted Groups).

    You'll need to use some method (and GP seems to be a good one) to take control of the local Administrators group membership.
    Avecto PG can/will block all attempts to modify that group (due to its anti-tamper protections), but, presumably like us, you will need to evict unauthorised members of that group, and then protect that group from further modifications.

    We also found, that the anti-tamper protections of Avecto PG, even prevent GP from cleaning up the group members, and it was suggested to us by Avecto support, that we create Avecto PG policy which allows the LocalSystem to bypass the protection. (GP CSE's like this, will run in LocalSystem context)

    You don't need Avecto PG to remove admin rights, you can do it with Domain GP. But, how do you maintain that position/integrity? And, how do you then allow users to perform some tasks, tasks which require privilege but your organisation approves of those tasks being performed by users, but Windows doesn't allow that?

    There are many types of technical controls to implement "security" (if that is your goal), but, you will find that each and every control can be bypassed with enough time and effort. Especially if your users are the determined type of person, who also considers that their need to "do that thing" will make them productive/happy - they will ignore all company policies in pursuit of that productivity/happiness (or so it seems to me from my experience)

    IT Support efforts/costs will rise, not drop - we are seeing this already.
    Hatred towards IT (both systems and the people in IT) is also rising.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Saturday, April 25, 2015 1:20 AM

All replies

  • We are in the process of deploying Avecto Privilege Guard (new name is DefendPoint).
    We are doing this in conjunction with revising our GPP-Local Users & Groups settings (which we decided to use some time ago, instead of using classic Restricted Groups).

    You'll need to use some method (and GP seems to be a good one) to take control of the local Administrators group membership.
    Avecto PG can/will block all attempts to modify that group (due to its anti-tamper protections), but, presumably like us, you will need to evict unauthorised members of that group, and then protect that group from further modifications.

    We also found, that the anti-tamper protections of Avecto PG, even prevent GP from cleaning up the group members, and it was suggested to us by Avecto support, that we create Avecto PG policy which allows the LocalSystem to bypass the protection. (GP CSE's like this, will run in LocalSystem context)

    You don't need Avecto PG to remove admin rights, you can do it with Domain GP. But, how do you maintain that position/integrity? And, how do you then allow users to perform some tasks, tasks which require privilege but your organisation approves of those tasks being performed by users, but Windows doesn't allow that?

    There are many types of technical controls to implement "security" (if that is your goal), but, you will find that each and every control can be bypassed with enough time and effort. Especially if your users are the determined type of person, who also considers that their need to "do that thing" will make them productive/happy - they will ignore all company policies in pursuit of that productivity/happiness (or so it seems to me from my experience)

    IT Support efforts/costs will rise, not drop - we are seeing this already.
    Hatred towards IT (both systems and the people in IT) is also rising.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Saturday, April 25, 2015 1:20 AM
  • Thanks Don!
    Friday, May 01, 2015 1:24 PM