Restricted Groups..

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi Guys

I need to edit my DC GPO Policy so it includes RGs. I need to add Domain Admins.

Having looked on the tinternet, ive not managed to find the method.

Can anyone help me out here ? Im not all that clued up with RGs as i have never used them until now.

Thanks in advance.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I believe that only domain admins can modify the domain admins group. If you want the GPO to apply to DA's, you will need to have a DA set it for you.

Also, depending on what the GPO does, it might not make a difference whether you add them to it or not. Domain Admin rights supercede almost everything in the domain, so if your GPO is, for instance, restricting members from being able to modify their IE options (such as homepage, etc). It wont work.

 

Iam domain admins and setting this up so if other users / techies get added to domain admins, my policy will remove there membership.

 

Im not sure that you can do that to be honest. You are aware though, that only a DA or higher can add someone to the DA group, right. So something like that shouldnt really be necessary For a start, DA's should have enough knowledge of the system to not accidentally add someone to that group - if they dont then they shouldnt have the DA authority.

I'll double check with one of my colleagues who a DA, to be sure.

 

Quoted from my colleague:

 

I can confirm that my GPO is applied to DCs only as a Computer based policy.

I work for a company which has 200'000 employees. My domain is just a portion of it as you can imange we have multipe forests / domains across the globe.

i just want to increase the security as we have domain admins out there who may add someone to the DAs group which shouldnt be there, so this policy i talk of will have a list of users or a group who should have DA's and strip the ones who shouldnt in theory.

 

I would suggest that, rather than working on a GPO. You review the security of the domain.

If you have DAs who are adding people to this group who shouldnt be there, then those DAs do not have a proper understanding of the role of the DA group, and what it permits people to do. I would suggest educating them in such matters, but also reviewing the members and work out who doesnt need to be a DA. Its a relatively straightforward thing to set up a new group this gives the access required for a role, without having to give them DA rights necessarily.

In any case, using the GPO in this manner is just going to confuse matters. You are going to have to inform all the DA's of this new GPO anyway, so that they dont get all confused when they add someone and it doesnt work. Not to mention that they will need to know in case you arent around, and someone needs to legitimately be added. Given that they are aware of the GPO, if they want to add someone to the DA group, they will be aware that they have to just go in and amend the GPO (being a DA already, they will have the rights to do this). Sending you back to square one.

Again, I suggest you deal with the underlying problem, as this solution is just going to cause headaches at best if it works.

 

i would tend to agree, however, iam being pushed to set this up !

 

Managers always push for things, but they dont always understand the complications of the issue. As the technical member of staff, you are there to explain it to them.

Just tell them that, whilst it is possible to achieve, the GPO can only be set to take effect whenever a DA actually logs in. And that since the existing DAs are the culprits, it doesnt resolve the problem as they will just update the GPO.

At my old place, the DA's set up various groups that gave specific rights to each role. In my Account Administration role, for instance, we had rights on certain OUs to create/delete/modify accounts, modify group memberships, create groups, etc. As and when additional rights were required in the role, they were added to the permissions.

Its also worth pointing out that DAs only have rights to the specific domain that they are a member of (by default). So DA's from other domains should be able to modify your domain. That is, unless you have provided them with the rights to do so.

It would be better to revisit the security model you employ. For a start, DA's should be given rights only to their domain. A group of enterprise admins (from the root domain) should be set up, as a small group of people who can be trusted to do things right, and have a need to modify the various domains as necessary. DA's can then govern their own domain (meaning for a start, that if the DAs want to piss around and grant people rights that they should be, it doesnt affect your domain).

If these guys are actually in *your* domain, then that doesnt solve the problem though. You would still need to visit the roles and determine who needs what permissions, then drop people out of the DA role where they dont need to be. Often, the only reason someone is in the DA role, is because they need one thing that the DA role has. In that case, theres no point them being in the role and having access to dangerous permissions they dont necessarily understand.

The point you really need to stress to the management is that this solution just simply will not work. It does nothing to resolve the issue, and will just cause more in the long term.

If you really are adamant about using this system, ill see if i can find out how to do it for you.

 

i completely agree with you here, i will be discussing this with mgt but if i have to, im going to get an approved list of DAs and create my RG and add the DA group which will apply to DCs containing my list, so, anyone outside this list will be ripped out after login. i dont see any other way if i have to implement this.