none
Grant each domain user Local Admin rights, but prevent them from accessing other devices RRS feed

  • Question

  • Hello technet!

    Right now, we're granting users Local Admin rights via Restricted Groups (GPO), by adding the Security-Group to  the BUILTIN\ADMINISTRATORS group. However, this lets each user open the administrative shares on machines they do not own.

    This poses security and privacy issues and I'm looking for a method to change that.

    How can we grant Local Administrator rights to each domain user, on their own respective laptop; without granting Local Admin rights on ALL devices in the domain.

    If this is not possible, how can we grant 'the highest possible user rights' without granting access to administrative shares or pstools.

    Love to hear,

    Tuesday, December 27, 2016 6:53 AM

All replies

  • Hi,

    To my knowledge, if we want to control a share folder’s access right, we just need to configure folder itself ‘s share permission level, just configure everyone’s Permission Level as Read.

    Restricted Groups is does a good way to grant Local Admin Right to Active Directory Users, I agree with you.

    In addition, let's look forward to other users's usggestions

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 28, 2016 2:26 AM
    Moderator
  • How many laptops \ workstations do you want to do this for? The only way to give admin but admin on others would to add them to that PC \ laptop only.

    This can be done by creating a group in AD called 'computername Administrators'. Then add the users you want to admin rights on that computer to that group.

    In group policy add '%DomainName%\%ComputerName% Administrators' to the local admins groups. You will need to create a 'computername Administrators' group for each PC you want to grant users admin rights too then add users to those groups.


    • Edited by -Mr Happy- Wednesday, December 28, 2016 3:13 PM
    Wednesday, December 28, 2016 3:12 PM
  • it'll have to be done for at least 200 devices; so that would be quite the pain.

    Right now we are considering other options (like giving the user exclusive rights to its profile/documents so that other admins cannot access it) and just accept that the C$ share will be available..

    Thursday, December 29, 2016 12:19 PM
  • Am 29.12.2016 um 13:19 schrieb Alex van den Bos:
    > it'll have to be done for at least 200 devices; so that would be quite
    > the pain.
     
    Easy and simple, you are just a little lazy ...? If you do not do it by
    ruleset or AD, how do you think the magic will happen? Does it come out
    of the sutton?
     
    If there is a 1to1 situation, then there needs to be a rule, that
    identifies EACH INDIVIDUAL system and if there are 200 machines, someone
    needs to define 200 rules.
     
    Can you script it? Can it be done automatic by an AD attribute? SURE!
    But someone had to define 200 AD Attributes prior to this ... it´s like
    it is: There a 200 machines, which will give 200 definitions. Thats
    mathenatics, nothing else.
     As Mr Happy said, create 1 secgroup per machine
     
    Todo: get list of all computer accounts, foreach create secgroup
    %computername%-Admins, thats a PoSH or Batch oneliner.
     
    Add specific user to secgroup, takes a little while, if you do not know
    who is logging on to which machine. I would "monitor" the logon for a week,
     
    Todo: create a textfile in a share and simply do a echo of the
    %username% and %computername%, after a week foreach %username% add user
    to %computername%-Admins
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Thursday, December 29, 2016 1:29 PM
  • I think I'll try solving it with a logon script that first removes all users from the local admin group, then adds the current user to local admin group. We do not wish to clutter AD with all sorts of device specific security groups, and we need the user to be able to logon on each machine and be local administrator for the sessions, whilst not being able to access the administrative shares on other devices, or the usage of PStools/other device related scripts to shutdown a machine from the network.

    Since it is impossible to keep a complete list of every user that logs on on every machine, I think that'll be the 'easiest' solution


    Thursday, December 29, 2016 2:36 PM
  • Yes, your idea is correct, please mark your reply to close this case.

    Hope your experience will help other forum user who meet with similar scenario.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 6, 2017 8:24 AM
    Moderator
  • That will work, but bear in mind that adding the user to the group after they have logged on will have no effect on their current session. For their admin rights to be effective, they will need to log off and back on after having been added to the group.
    Friday, January 6, 2017 8:57 AM