Pages

Monday, November 3, 2014

Create a local Administrators group through a GPO on Windows Server 2008 R2 /2012 R2

Today, I'm showing how you can implement a GPO on your Active Directory. I'm using “Restricted Groups” to put users in the “local admin” group to Log On as a Local Administrator on all your Domain Computers. Also deny Log On in all servers on the Domain for all members of Local Admins group. 
By default the Domain Controller have a “Computer” Organizational Unit, inside that folder you can find all computers installed on your network. If you trying to apply some group policy in “Computers” Organizational Unit, that folder no appears on GPO. Then, for apply group policy on one computer or in all computers on your Domain you need create a new Organizational Unit that content all computers. Also I suggest create another organizational Unit that content all servers of your Domain because the servers by default are in the same “Computer” Organizational Unit.

The Domain Controllers Server are in “Domain Controllers” Organizational Units. Be careful don’t move that server or servers ………………………..

In this example I created:

·         Domain name _Computers” Organizational Unit

·         Domain name _Servers” Organizational Unit

·         Local Admins” Group

·         IT Test” User

Created a new Organizational Units:

1.       Push “Win + R” keys at the same time, in the open “Run” window type “dsa.msc
2.       In “Active Directory Users and Computers” window, right click on the “Domain Name”, click to select “New”, then click on “Organizational Unit
3.       On the “New object – Organizational Unit” window type the Name of the new Organizational Unit eg. (Domain name _Computers), then click “OK” to save it.
4.       Expand your Active Directory Domain, click on “Computers” Organizational Unit
5.       In the right panel you see all computers and servers that are in your domain, click to select the computers do you want to apply Group Policy. *** Do Not Select the Servers6.       After you select the computers, right click on your selection and click on “Move…
7.       In the “Move” window, click to select the Organizational Unit for do you want move your selected computers. In my example to (Domain name _Computers), then click “OK
8.       Now your computers are in the (Domain name _Computers)
9.       Repeats steps 2 to 7 to create another organizational Unit for your Server. Use another name eg. (Domain name _Servers)

Now you have the Servers and Computers in different Organizational Units  

Create a New Group:

1.       In “Active Directory Users and Computers” window, right click on the “Users” Organizational Unit, click to select “New”, then click on “Group
2.       In “New Object – Group” type the name of the new group eg. (Local Admins), then click “OK

The new Group was created

Created a New User:

1.       In “Active Directory Users and Computers” window, right click on the “Domain Users” Organizational Unit, click to select “New”, then click on “User
2.       In “New Object – User” type the name of the new User eg. (IT Test), fill all information required and click next
3.       In the new window type the password, click to uncheck “User must change password at the next logon” and click to select “Password never expires
4.       In the new window click “OK” to closed windows

Add a user in the Local Admins group:

1.       Right click on the new user created (IT Test), then click to open “Properties
2.       In “Properties” window, click on “Member Of” tab, then click on “Add” tab
3.       In the “Select Groups” window type the group do you want “Add” in this example (Local Admins)
4.       Click “OK” to select, and click “OK” to finished

Now you are ready to apply Group Policy on the new Organizational Units created before

Adding a Domain Group (Local Admins) into the Local Administrators Group

1.       Push “Win + R” keys at the same time, in the open “Run” window type “gpmc.msc
2.       In “Group Policy Management” window, click to expand Forest: Domain Name > Domains > Domain Name
3.       Right click on (Domain name _Computers) Organizational Unit that I was created above in this tutorial, click to select “Create a GPO in this domain, and Link it here…
4.       In “New GPO” window type the name of the new Group Policy that I want to apply eg. (Domain Name _ Local Admins GPO), then click “OK
5.       Click to expand (Domain name _Computers) Organizational Unit, right click on the new GPO and click to select “Edit…
6.       In “Group Policy Management Editor” window click to expand Computer Configuration > Policies > Windows Settings > Security Settings
7.       Right click on “Restricted Groups” and click to select “Add Group…
8.       In “Add group” window click “Browser …” button, and type the group do you want to apply the policy. In this example (Local Admins)
9.       Click “Check Names” button, and click “OK” button
10.   A new windows is open, in the “This group is a member of:” click “Add” and type “Administrators”, then click “Ok” to apply
11.   Close all open windows
12.   Push “Win + R” keys at the same time, in the open “Run” window type “powershell.exe” and type “gpupdate /force

Now all users that you have inside (Local Admins) group in my example (IT Test) user is a Local Administrators in that Organizational Unit (Domain name _Computers)

But that users now are Local Administrator and by default a Local Administrator can Log On in the Servers too, that is not good.

We need deny the access of Local Administrator to Servers.

Deny the access of Local Administrator to Servers:

1.       Push “Win + R” keys at the same time, in the open “Run” window type “gpmc.msc
2.       In “Group Policy Management” window, click to expand Forest: Domain Name > Domains > Domain Name
3.       Right click on (Domain name _Servers) Organizational Unit that I was created above in this tutorial, click to select “Create a GPO in this domain, and Link it here…
4.       In “New GPO” window type the name of the new Group Policy that I want to apply eg. (Deny Log On _Local Admins Group), then click “OK
5.       Click to expand (Domain name _Servers) Organizational Unit, right click on the new GPO and click to select “Edit…
6.       In “Group Policy Management Editor” window click to expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies
7.       Click on “User Rights Assignment” and in the right panel double click to open “Deny log on locally Properties
8.       In “Deny log on locally Properties” window click to check “Define these policy settings:”, click on “Add User or Group” and type the local Administrator group that you created in my example (Local Admins)
9.       Click “OK” twice time to apply
10.   Close all open windows
11.   Push “Win + R” keys at the same time, in the open “Run” window type “powershell.exe” and type “gpupdate /force

Now the Local Administrators can Log On in the users computers but they cannot Log On in the servers on the Network. Local Administrators now are restricted but they can Log On in the Domain Controllers so we need create a GPO for restrict access into Domain Controllers too. 

Deny the access of Local Administrator to Domain Controllers: 

1.       Push “Win + R” keys at the same time, in the open “Run” window type “gpmc.msc
2.       In “Group Policy Management” window, click to expand Forest: Domain Name > Domains > Domain Name
3.       Right click on (Domain name) Organizational Unit, click to select “Create a GPO in this domain, and Link it here…
4.       In “New GPO” window type the name of the new Group Policy that I want to apply eg. (Deny Log On _Local Admins Group), then click “OK
5.       Right click on the new GPO and click to select “Edit…
6.       In “Group Policy Management Editor” window click to expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies
7.       Click on “User Rights Assignment” and in the right panel double click to open “Deny log on locally Properties
8.       In “Deny log on locally Properties” window click to check “Define these policy settings:”, click on “Add User or Group” and type the local Administrator group that you created in this example (Local Admins)
9.       Click “OK” twice time to apply
10.   Close all open windows
11.   Push “Win + R” keys at the same time, in the open “Run” window type “powershell.exe” and type “gpupdate /force

 Now the users on Local Admins groups are Log On as Local Administrators for all computers on the Network except Servers and Domain Controllers.

No comments:

Post a Comment