2. Delegating Administration Using Restricted Groups Policies with
the Member Of Setting
You can use restricted groups policies with the Member Of
setting to manage the delegation of administrative privileges for
computers by following these steps:
-
In Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows
Settings\Security Settings\Restricted Groups. -
Right-click Restricted Groups and click Add Group. -
Click Browse and, in the Select Groups dialog box, type the
name of the group you want to add to the Administrators group (for
example, CONTOSO\Help Desk) and
click OK. -
Click OK to close the Add Group dialog box.
A Properties dialog box appears. -
Click Add next to the This Group Is A Member Of section. -
Type Administrators and click
OK.
The Properties group policy setting should look something
like the left side of Figure 2. -
Click OK again to close the Properties dialog box.
Delegating the membership of the local Administrators group in
this manner adds the group specified in step 3 to that group. It does
not remove any existing members of the Administrators group. The group
policy simply tells the client, “Make sure this group is a member of
the local Administrators group.” This allows for the possibility that
individual systems could have other users or groups in their local
Administrators group. This Group Policy setting is also cumulative. If
multiple GPOs configure different security principals as members of
the local Administrators group, all will be added to the group.
3. Delegating Administration Using Restricted Groups Policies with
the Members Of This Group Setting
To take complete control of the local Administrators group,
follow these steps:
-
In Group Policy Management Editor, navigate to Computer
Configuration\Policies\Windows Settings\Security
Settings\Restricted Groups. -
Right-click Restricted Groups and click Add Group. -
Type Administrators and click
OK.
A Properties dialog box appears. -
Click Add next to the Members Of This Group section. -
Click Browse, type the name of the group you want to make
the sole member of the Administrators group (for example, CONTOSO\Help Desk), and click OK. -
Click OK again to close the Add Member dialog box.
The group policy setting Properties should look something
like the right side of Figure 2. -
Click OK again to close the Properties dialog box.
When you use the Members setting of a restricted groups policy, the
Members list defines the final membership of the specified group. The
steps just listed result in a GPO that authoritatively manages the
Administrators group. When a computer applies this GPO, it adds all
members specified by the GPO and removes all members not specified by
the GPO, including Domain Admins. Only the local Administrator account
is not removed from the Administrators group, because Administrator is
a permanent and nonremovable member of Administrators.
If you use both Members and Member Of restricted groups
policies, the highest-priority Members policy setting sets the
authoritative baseline membership for the group, and then the
cumulative memberships of Member Of policies augment that baseline.
This complex interaction of the two policy settings is not something
that you are likely to encounter on an exam, but you might see it in a
production environment. Therefore, in your enterprise, be careful to
design and test your restricted groups policies to ensure that they
achieve the desired result.
Defining Group Membership with Group Policy
Preferences
You can also use Group Policy Preferences to define the membership of groups.
Local Group preferences are available in both Computer
Configuration and User Configuration. The settings for a Local Group
preference are shown in Figure 5.
The three options related to “current user” are available only
in the Local Group preference in User Configuration, not in
Computer Configuration.
You can create, delete, replace, or modify (update) a local
group. As you can see in the previous screen shot, you can rename
the group, change its description, or make modifications to the
group’s membership.
Local Group preferences cannot remove members from a group if those members were added to a group by using a restricted
groups policy setting. Additionally, if a restricted groups policy
setting uses the Members method to define the authoritative membership
of a group, preferences can neither add nor remove members.
The interactions between Members restricted groups policy
settings, Member Of restricted groups policy settings, Local Group
preferences scoped as computer settings, and Local Group preferences
scoped as user settings can be complex and difficult to understand.
Be sure to thoroughly test the results if you choose to implement
multiple methods of managing group membership with Group Policy.
Practice Delegating the Support of Computers
In this practice, you use Group Policy to delegate the
membership of the Administrators group. You first create a GPO
with a restricted groups policy setting that ensures that the Help
Desk group is a member of the Administrators group on all client
systems. You then create a GPO that adds the NYC Support group to
Administrators on clients in the NYC OU. Finally, you confirm that
in the NYC OU, both the Help Desk and NYC Support groups are
administrators.
To perform this practice, you need the following objects in the
contoso.com domain:
-
A first-level OU named Admins -
A global security group named Help Desk in the Admins
OU -
A global security group named NYC Support in the Admins OU -
A first-level OU named Clients -
An OU named NYC in the Clients OU -
A computer object named DESKTOP101 in the NYC
OU
If you have performed practices in earlier lessons, some of
these objects might already exist in other OUs, in which case you
can move the object to the OU specified above.
EXERCISE 1 Delegate the Administration
of All Clients in the Domain
In this exercise, you create a GPO with a restricted groups
policy setting that ensures that the Help Desk group is a member
of the Administrators group on all client systems.
-
Open Group Policy Management, and then expand
Forest\Domains\contoso.com. Click the Group Policy Objects
container in the console tree. -
Right-click the Group Policy Objects container and click
New. -
In the Name box, type Corporate
Help Desk and click OK. -
Right-click the GPO and click Edit. -
In Group Policy Management Editor, navigate to Computer
Configuration\Policies \Windows Settings\Security
Settings\Restricted Groups. -
Right-click Restricted Groups and click Add
Group. -
Click Browse and, in the Select Groups dialog box, type
CONTOSO\Help Desk and click
OK. -
Click OK to close the Add Group dialog box. -
Click Add next to the This Group Is A Member Of
section. -
Type Administrators and
click OK.
The group policy setting properties should look like the
left side of Figure 2. -
Click OK again to close the Properties dialog
box. -
Close Group Policy Management Editor. -
In the Group Policy Management console, right-click the
Clients OU and click Link An Existing GPO. -
Select the Corporate Help Desk GPO and click OK.
EXERCISE 2 Delegate the Administration
of a Subset of Clients in the Domain
In this exercise, you create a GPO with a restricted groups
policy setting that adds the NYC Support group to the
Administrators group on all client systems in the NYC OU.
-
In the Group Policy Management console, expand
Forest\Domains\Contoso.com. Click the Group Policy Objects
container in the console tree. -
Right-click the Group Policy Objects container and click
New. -
In the Name box, type New York
Support and click OK. -
Right-click the GPO and click Edit. -
Repeat steps 5–12 of Exercise 1, “Delegate the
Administration of All Clients in the Domain,” but type CONTOSO\NYC Support
as the group name in step 7. -
In the Group Policy Management console, expand the
Clients OU, right-click the NYC OU, and then click Link An
Existing GPO. -
Select the New York Support GPO and click OK.
EXERCISE 3 Confirm the Cumulative
Application of Member Of Policies
You can use Group Policy Modeling to produce a report of the
effective policies applied to a computer or user. In this exercise, you use Group
Policy Modeling to confirm that a computer in the NYC OU includes
both the Help Desk and NYC Support groups in its Administrators
group.
-
In the Group Policy Management console, expand Forest
and click the Group Policy Modeling node. -
Right-click the Group Policy Modeling node and click
Group Policy Modeling Wizard. -
Click Next. -
On the Domain Controller Selection page, click
Next. -
On the User And Computer Selection page, in the Computer
Information section, click Browse. -
Expand the domain and the Clients OU, and then click the
NYC OU. -
Click OK. -
Select the Skip To The Final Page Of This Wizard Without
Collecting Additional Data check box. -
Click Next. -
On the Summary Of Selections page, click Next. -
Click Finish.
The Group Policy Modeling report appears.
If an Internet Explorer warning appears, it is because
Internet Explorer Enhanced Security Configuration (IE ESC) is
enabled. Open Server Manager. In the Security Information
section, click the Configure IE ESC link. In the
Administrators section, click Off. In the Users section, click
Off. Click OK. Close Server Manager. In the GPME, click Close
to close the Internet Explorer warning. If you continue to
receive warnings, close and re-open Group Policy Management,
and then repeat steps 1–11. -
On the Settings tab, click Security Settings. -
Click Restricted Groups.
You should see both the Help Desk and NYC Support groups listed. Restricted groups
policies using the This Group Is A Member Of setting are
cumulative. Notice that the report does not specify that the
listed groups are members of the Administrators group. The
omission of the Member Of column is a limitation of the
report.
OPTIONAL EXERCISE 4 Confirm the
Membership of the Administrators Group
If your test environment includes a client computer that is a member of the contoso.com domain,
move the computer object in Active Directory to the NYC OU.
Restart the computer, log on as the domain’s Administrator, and
then open the Computer Management console. In Computer Management,
expand the Local Users And Groups node and, in the Groups folder,
open the Administrators group. You should see the following
members listed:
-
CONTOSO\Help Desk, applied by the Corporate Help Desk
GPO -
CONTOSO\NYC Support, applied by the New York Support
GPO -
Domain Admins, made a member of Administrators when the
computer joined the domain -
The local Administrator account, a default member that
cannot be removed
|