You need a virus outbreak that hits every box in a whole building across the wire using the local admin credentials that are common between the boxes. That was what it took here.
From: Ziots, Edward [mailto:[email protected]] Sent: Friday, November 12, 2010 2:37 PM To: NT System Admin Issues Subject: RE: Questions on the Application of Restricted Groups to Local Groups on Servers, Workstations Actually, not when the cards are stacked against you... Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Jon Harris [mailto:[email protected]] Sent: Friday, November 12, 2010 1:57 PM To: NT System Admin Issues Subject: Re: Questions on the Application of Restricted Groups to Local Groups on Servers, Workstations Keep trying and don't give up that fight it will be worth the effort in the long run as you know. Jon On Fri, Nov 12, 2010 at 1:54 PM, Ziots, Edward <[email protected]<mailto:[email protected]>> wrote: Thanks guys, Reviewing it now and testing out the OU to start ripping and removing the bloat in the local admins group, even though I lost my battle with further restrictions of those groups, and following the least privilege best practices. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected]<mailto:email%[email protected]> Cell:401-639-3505 From: KenM [mailto:[email protected]<mailto:[email protected]>] Sent: Friday, November 12, 2010 1:00 PM To: NT System Admin Issues Subject: Re: Questions on the Application of Restricted Groups to Local Groups on Servers, Workstations There are a few ways you can do this. One would be in the restricted group settings, create new group. The name would be the local group of the server so Administartors and "Power Users". Add the local admin account and whatever domain accounts in there. The other way would be to add a Domain Group in the GPO and set that as a member of the local groups. The difference between the two is that the first one will clear the group membership and the second one will just add to the local group. Here are a few links. http://technet.microsoft.com/en-us/library/cc785631%28WS.10%29.aspx http://www.frickelsoft.net/blog/?p=13 On Fri, Nov 12, 2010 at 12:48 PM, Ziots, Edward <[email protected]<mailto:[email protected]>> wrote: For those that have worked with the Restricted Group Functionality in Windows 2003, Windows 2008 R2. I have the following questions. I am looking to create some group polices that will affect the local administrators, power users groups on a set of computer objects (servers) in particular OU's. I am looking at using Restricted Groups to allow this to happen, so my scenario would be the following. 1) How to designate the Local administrators group of the Server/Servers within the GUI of the group policy Object, so I can say that Group X in Domain X should be a member of the local administrators group enforced by this group policy which is applied to the OU in which the computer objects apply. ( Same would go for Power Users). Any white papers, or KB articles that have been of use in your application of this feature would be greatfully appreciated, since the management here needs this to happen in short order. Please advise, EZ Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected]<mailto:email%[email protected]> Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
