In an ideal world the best solution to this is not to allow them to install it in the first place, which is fine if you are in a position to take this firm standpoint and treat all users the same. Unfortunately a few weaker links inevitably end up making more work for you and everyone else.
Group policy will allow you to create security groups for your elevated accounts and can also be configured to strip out other accounts from local administration groups. This is fine if everyone is on-board with the idea and you don't want to end up with several policies for different types of users.
The solution I came up with will allow you to remove all unauthorised users accounts, both domain and local from the computer administrators group but will allow you to add your elevated accounts and have a list of exceptions that won't be removed. This means Jim and Bob and those rare but pesky applications that just won't work properly without local admin privileges can still work, and you have clear visibility of who actually has these rights.
The script below was based on another script I found that would just remove all local admins, I've modified it to allow exceptions, and to add in the relevant elevated account groups. Keep reading for instructions on how to implement it into your environment.
' Remove Unapproved Local Administrators.
' Last update 28/10/11 by Andrew Allison
' vbscript
'** check os version first
strComputer = "."
Set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Set colItems = objWMI.ExecQuery("SELECT * FROM Win32_OperatingSystem",,48)
For Each objItem in colItems
osversion = (objItem.Caption)
targetos=("Microsoft Windows XP Professional")
intCompare = StrComp(osversion, targetos, vbTextCompare)
'wscript.echo targetos
'wscript.echo osversion
'wscript.echo intCompare
if intCompare = -1 Then
wscript.echo "Do not use your standard user account to log onto servers! Use your Elevated account."
wscript.quit
elseif intcompare = "1" Then
wscript.echo "Do not use your standard user account to log onto servers! Use your Elevated account."
wscript.quit
else
'wscript.echo "0 - it must be good old XP - lets rock!"
end if
next
'** Define Variables
Dim PermittedAdmins' As Array
Dim group
Dim network
dim fourthletterinname
'** Define Permited Administrators List
PermittedAdmins = Array("Administrator", "Domain Admins", "Director1", "Director2", "GPO_LAPTOP_PCADMIN", "GPO_DESKTOP_PCADMIN) '<--- Add to this Array any additional permited admins
'** Get Local Administrator Group
Set AdminGroup = GetObject("WinNT://./Administrators, Group")
'** Search for Invalid Members & Remove Them
For Each GroupMember in AdminGroup.Members
Debug.WriteLine GroupMember.Name, GroupMember.Class, IsPermitedAdmin(GroupMember.Name)
If Not IsPermitedAdmin(GroupMember.Name) Then
AdminGroup.Remove GroupMember.ADsPath
End If
Next
'** Functions *****************************************************************
Function IsPermitedAdmin(MemberName)' As Boolean
Dim i' As Long
For i = LBound(PermittedAdmins) To UBound(PermittedAdmins)
If UCase(MemberName) = UCase(PermittedAdmins(i)) Then
IsPermitedAdmin = True
Exit Function
End If
Next
IsPermitedAdmin = False
End Function
'**Start adding PCadmin groups
Set wshShell = WScript.CreateObject( "WScript.Shell" )
strComputerName = wshShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )
Set network = CreateObject("WScript.Network")
Set group = GetObject("WinNT://" & network.ComputerName & "/Administrators,group")
On Error Resume Next
fourthletterinname = Mid(strComputerName,4,1)
if fourthletterinname = "D" Then
group.add("WinNT://yourdomain/GPO_DESKTOPS_PCADMIN")
Elseif fourthletterinname = "L" Then
group.add("WinNT://yourdomain/GPO_Laptops_PCADMIN")
else
'do nothing
end if
On Error Goto 0
wscript.quit
Note as per the "check OS version first" section you can see in the above script I have specified that this script should only run on a singular operating system, Windows XP Professional. This can be easily changed to any other operating system. The purpose of this function is that in all likelihood you don't want this script to end up running on your server operating system, although it is entirely possible to add all your local server administration accounts too. If you don't want to use the OS check, simply remove this section.
The "Define Permitted Administrators List" section is where you will want to put in the user name of your PC Admin management groups and also your pesky exceptions. This isn't a list that will add admin groups, this is a list that the script will NOT remove.
Another part you may want to remove or modify is the "Start adding PC admin groups" - this is the function that will insert your Active Directory PC Administration groups into the PCs local administrator group. In my environment all devices follow a strict naming convention which is SITE-MACHINETYPE-ASSETNO-USER eg: SBPD12345ALLISA the "fourth letter in name" variable is used to hold the fourth letter in the machine name, as you can see this will be either D for desktops, or L for laptops. If you only have one admin account for every type of device you can modify this to only have one group, this function just give a little more granular type of security.
OK, now you have the script and have modified to suit your environment, but how do I deliver it onto the PCS? Group policy is the key here.
You have two choices here, you can either apply based upon machine-based-policy or user-based-policy. There are advantages and disadvantages of both. In my environment my manager requested this be done on user policies. Create a new policy or modify an existing one and navigate to "scheduled tasks".
Right click and create a new scheduled task. The settings here are up to you but this how I have configured mine.
It's up to you as to where you store the script, you could in effect deliver it to each machine, or leave it on a web-server. I personally have opted to put it into the domain SYSVOL folder on my Domain Controller. Ensure that you use an account on the scheduled task with sufficient access to manage your PC admin group. I like to run set the script to run at logon to remove unwanted "tweakers" ;-)
All of this is pointless if you fail to maintain your Active Directory PCADMIN groups, don't allow unelevated accounts to be added to these groups, the last thing you want to do is to give your director rights to install software on every PC on the network rather than just his own. Use the exclusions wisely.
No comments:
Post a Comment