none
Filtering Builtin Local Group accounts?

    Question

  • I've got what I believe should be a fairly easy issue to resolve but I'm not sure how to best tackle it.  I've got an Active Directory Domain (2008 R2 Functional Level) and my company is using the Builtin Backup Operators local group to add a User account which is acting as a Service account.  This account is being deployed Directory-wide within that Builtin Local Group.  However, we have 4 systems that need this filtered out as that same User/Service account specifically needs only Local Administrator permissions on those 4 systems, which they have.  I've discovered that if the account has both Local Admin and Backup Operators permissions, problems arise with our backup software (another story all together).

    Can anyone advise as to how/if it's possible to filter out the User Account from the Backup Operators Group on only 4 of the systems in the enterprise?  Manually removing them per system results in the accounts being automatically added back.

    Thank you



    • Edited by Steve_A_04 Friday, April 10, 2015 5:39 PM
    Friday, April 10, 2015 5:36 PM

Answers

All replies

  • ......This account is being deployed Directory-wide within that Builtin Local Group.  

    Can anyone advise as to how/if it's possible to filter out the User Account from the Backup Operators Group on only 4 of the systems in the enterprise?  Manually removing them per system results in the accounts being automatically added back.

    Depending upon how you are "deploying" this, you might use: WMI Filtering on the GPO, or Security Filtering on the GPO, or ILT on the GPO. (assuming you are using a GPO for that deployment)

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Friday, April 10, 2015 8:39 PM
  • Hi,

    If I understand you correctly,  you'd like to filter out the account on the 4 systems. You might use security filtering to filter out the 4 systems in your backup group policy, in this way you would not use the User account in the backup operators. And you can perform the backup locally on the 4 systems mannually or run a scheduled task.

    Here i can provide you some reference for the security filtering and WMI filtering:

    http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx

    Hope it helps.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 14, 2015 2:19 AM
    Moderator
  • Hi Steve,

    May I know if there's any update about this issue?

    Looking forward to your feedback.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 16, 2015 6:41 AM
    Moderator