locked
restricted groups gpo, allow remote sessions for users RRS feed

  • Question

  • Hi All,

    Herez my scenario.

     

    all users are also local administrators of their machines.

    1. I wanted to restrict user from installing/uninstalling software, and other privilidged stuff.

    2. for that i created restricted groups gpo and applied.

    3. everything worked fine.

    4. untill one of the users, who had to login remotely, could not login because of unsufficient rights.

    5. now my understanding is that restricted groups gpo had overridden the permissions for local user to remote desktop or use remot work web place.

    how can i make it work with restricted groups gpo so that users can log in remotely?

     

    thanks

    Tuesday, March 30, 2010 12:14 PM

Answers

  • If you are controling the local admin group using "restricted groups" policy option "members" then any member of the local admin group that are not explicitly defined will be automaticlly removed. If you have someone in the local admin group becuase the "restricted groups" option put them therer then they have full admin access to the PC... and thus... have COMPLETE CONTROL... If a local admin know what they are doing they can even disable / change group policy settings... HOWEVER... You could grant them only power user access which would stop them from being able to install software.. or you could use Applocker if they are running Windows 7 or Software restriction policies if they are running Windows XP.

    Group policy preference can also be used to manage the members of the local admin group... this can be just as powerfull as the "members" option however you can configur it to be much more granular. I have written a blog on how to do this at http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/


    Alan Burchill http://www.grouppolicy.biz
    • Marked as answer by outstream Wednesday, March 31, 2010 3:23 PM
    Tuesday, March 30, 2010 10:17 PM
  • Simply... you use restricted group policy (or group policy preferences) to stop them from ever becoming admins. This ensurs that no unauthorised users will be a member of the local admin group...

    This is easier said then done.... you must ensure your application will run without admin access. If you are running a windows xp environment then there are a few things that you need to give them admin access for... chaning time zones... and installing printers....


    Alan Burchill http://www.grouppolicy.biz
    • Marked as answer by Bruce-Liu Wednesday, April 7, 2010 2:54 AM
    Monday, April 5, 2010 10:42 AM

All replies

  • Hello,

    if your users are local admins you can't restrict them, because they are admin, admin, admin.......................


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, March 30, 2010 12:28 PM
  • ermm..i thought the restricted groups gpo over writes the rights on local admins. i have given the users in restricted users group all the rights. so only users in that group can be admins.

     

    and i saw it happening practically on my server.

     

    im sorry if i was unable to clear myself earlier

    Tuesday, March 30, 2010 2:11 PM
  • If you are controling the local admin group using "restricted groups" policy option "members" then any member of the local admin group that are not explicitly defined will be automaticlly removed. If you have someone in the local admin group becuase the "restricted groups" option put them therer then they have full admin access to the PC... and thus... have COMPLETE CONTROL... If a local admin know what they are doing they can even disable / change group policy settings... HOWEVER... You could grant them only power user access which would stop them from being able to install software.. or you could use Applocker if they are running Windows 7 or Software restriction policies if they are running Windows XP.

    Group policy preference can also be used to manage the members of the local admin group... this can be just as powerfull as the "members" option however you can configur it to be much more granular. I have written a blog on how to do this at http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/


    Alan Burchill http://www.grouppolicy.biz
    • Marked as answer by outstream Wednesday, March 31, 2010 3:23 PM
    Tuesday, March 30, 2010 10:17 PM
  • If you are controling the local admin group using "restricted groups" policy option "members" then any member of the local admin group that are not explicitly defined will be automaticlly removed. If you have someone in the local admin group becuase the "restricted groups" option put them therer then they have full admin access to the PC... and thus... have COMPLETE CONTROL... If a local admin know what they are doing they can even disable / change group policy settings... HOWEVER... You could grant them only power user access which would stop them from being able to install software.. or you could use Applocker if they are running Windows 7 or Software restriction policies if they are running Windows XP.

    Group policy preference can also be used to manage the members of the local admin group... this can be just as powerfull as the "members" option however you can configur it to be much more granular. I have written a blog on how to do this at http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/


    Alan Burchill http://www.grouppolicy.biz
    • Proposed as answer by Alan Burchill Tuesday, March 30, 2010 10:18 PM
    Tuesday, March 30, 2010 10:18 PM
  • If I understand correctly, you don't want the end users to be administrators on their computers, but you still want them to be able to log in via remote desktop.  It will depend on a lot of things, but this is generally done by adding the users to the remote desktop users local group.  I generally do this by creating a domain global group, and using restricted groups to add it to the remote desktop users local group. 

    Joseph Durnal

    Wednesday, March 31, 2010 1:07 PM
  • The problem got solved.

     

    Thanks all

    Wednesday, March 31, 2010 3:23 PM
  • Hi Joseph!

     

    I would like to known, How to Create Restricted group Policy properly. bcz I don't want the end users to be administrators on their PC.

    Pls, advice!

     

    Thank in advance!

     

    Zin

    Monday, April 5, 2010 9:19 AM
  • Simply... you use restricted group policy (or group policy preferences) to stop them from ever becoming admins. This ensurs that no unauthorised users will be a member of the local admin group...

    This is easier said then done.... you must ensure your application will run without admin access. If you are running a windows xp environment then there are a few things that you need to give them admin access for... chaning time zones... and installing printers....


    Alan Burchill http://www.grouppolicy.biz
    • Marked as answer by Bruce-Liu Wednesday, April 7, 2010 2:54 AM
    Monday, April 5, 2010 10:42 AM
  • Hi Outstream,

    could you please feel free let me know how did you set this GPO for remote control?

    I have the same situation and have to set a gpo to allow some special user have remote permission and most of user, which has local admin don't have remote permission.

    I have set one gpo, but cannot work fine for me.

    I have no idea about this.

    please kindly let me know the instruction tep by step.

    Thank you very  much.

    Sunday, December 12, 2010 3:11 AM
  • Hi Outstream,

    could you please feel free let me know how did you set this GPO for remote control?

    I have the same situation and have to set a gpo to allow some special user have remote permission and most of user, which has local admin don't have remote permission.

    I have set one gpo, but cannot work fine for me.

    I have no idea about this.

    please kindly let me know the instruction tep by step.

    Thank you very  much.


    Here are my notes on Restricted Groups. I hope it helps.

    ==================================================================
    ==================================================================
    Restricted Groups

    I usually do this from a non-DC with the GPMC installed because you need access to local groups on a non-DC, however manually typing in "Administrators" or "Users" should work if you do it from a DC.

    Going on memory... forgive me if I missed a step...

    In AD, create an OU and call it Restricted Groups (or whatever you want to call it)
    In AD, create a group and call it Local Power Users Group
    Create another group and call it Local Admin Users Group
    Logon as domain admin on an XP machine
    Install the GPMC on an XP machine
    Open the GPMC and navigate to the OU you created above
    Create and link a new GPO to the OU
    Right-click on it and choose Edit
    Navigate to the Computer section, and Restricted Groups
    Choose new group, browse to the domains' Local Power Users Group and add it to the local XP machine's groups, and choose Power Users
    Choose new group, browse to the AD domain's Local Admin Users Group and add it to the local XP machine's groups and choose Administrators
    Move the computer to the OU
    Add the user to the Local Power Users Group in AD that you created above
    On the machine where the user is logged on, have him logoff and logon
    You may have to have him do it twice
    In the XP's computer Management console, look at the Local Power Users and Administrators Groups and see if the Domain\Local Power Users Group is added to the machine's local Power Users group and the Local Admin Users Group is added to the machine';s local Administrators group. If so, they will show up as grayed out, meaning the policy is working. If you added the user to the domain's Local Power Users Group, then the user should now be able to perform actions of a Power User.


    ------
    Related Links:

    Using Restricted Groups
    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

    Restricted groups are made for that:
    http://www.frickelsoft.net/blog/?p=13


    ------
    You can also use Group Policy Preferences:

    You can take advantage of the Local Users and Groups settings of Group
    Policy Preferences, which gives you an option to add the current user to an
    arbitrary local group (including local Administrators). For more info, refer
    to http://technet.microsoft.com/en-us/library/cc731972.aspx
    ==================================================================
    ==================================================================

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Sunday, December 12, 2010 6:25 AM
  • Hi Ace,

    thanks for your detail explanation about this.

    However, my current problem is below:

    environment is there are a lot of computers in the domain, and all users in the domain are local administrator when logging on the computer. There is a security issue is that when someone remote a computer, it can do any modify and see anything on the remote computer. Also it can remote any computer in the domain. So we want to disable the remote option on all computers in the domain, but someone must need remote permission, we have to give the permission for these special person and keep the other person cannot remote and also have local admin permission. As I know, we can disable the remote option on all computers and grant remote permission for special one, since the computer just domain users, not local admin. If they are local admin, they can add themselves into remote group when they want.

    My concorn is how to achive this by using GPO, grant the sepcial person have remote permission and disable the remote option for those don't need remote permission on the computer, and also keep all user have local admin permission in the domain.

    Thanks a lot.

    Monday, December 13, 2010 2:12 AM
  • SOunds like a tall order. If all users are local administrators by using a Restricted Groups policy, then they are local admins on every machine. Not much you can do about that, as far as I can see. I would maybe suggest to set it back to default, then logon as administrator on each machine, or script it, and only give each specific user local administrator rights just for the machine they are always using and no others.

    Looking at it closer, the following is quoted from the link below:

    When you enable Remote Desktop on a computer, you enable the capability for other users and groups to log on remotely to the computer. However, you must also decide which users and groups should be able to log on remotely, and then manually add them to the Remote Desktop Users group. For more information, see Enabling users to connect remotely to the server and Add users to the Remote Desktop Users group.

    Enable or disable Remote Desktop
    http://technet.microsoft.com/en-us/library/cc727977(WS.10).aspx

    But the problem in your case, is that everyone's local admin, and that group is already part of the local remote desktop group. Therefore, I would probably suggest to do is:

    • What I mentioned in the first paragraph, which will make it work or
    • Keep everyone local admin, but go into the local rights of the machine and add the Domain Admin group to the remote desktop group, and then remove the local administrators group from it. This part you can do using Restricted groups so it's consistent across the domain.

    You would of course test this first with a test account and a test computer account in a separate test OU. You'll want to make sure the local admin can't add themselves to the remote desktop group.

    It's a long shot, but I would lean towards my first suggestion.

    Let us know which direction you'll take this.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, December 13, 2010 4:02 AM