Manipulating Local Users and Groups

An enormous portion of any company's overall security posture is making sure that users have proper rights and permissions. You want everyone to be as restricted as possible, while still allowing them to perform the work they need to accomplish for their jobs. When a user logs into a Windows computer, they receive security permissions inside Windows based on what local group or groups they are members of. Out of the box, Standard users have the most restricted rights, Power Users are able to perform some heavier-duty tasks, Administrators have full control within Windows—you get the idea. There are multiple tiers of permissions baked into the operating system.

When your Windows computer is joined to a domain, there are some inherent changes automatically made to these groups. For example, the Domain Admins Active Directory group is generally added into all of your computer's local Administrator group. Therefore, when you log into a domain-joined computer with a user account that is part of the Domain Admins group inside AD, you will automatically receive Administrator rights on each workstation or server that you log into.

Sounds great, right? Except that administrative permissions are way too powerful for most users. It is even a best practice these days to keep your IT administrators away from having Domain Admin rights all the time. It is too easy to make mistakes that way. Instead, we can utilize some of those in-between levels of permission, putting user accounts or groups into the local security groups, to divvy up permissions in a more comprehensive way.

You certainly do not want to have to visit every one of your servers and workstations in order to manually plug user accounts into their appropriate groups, so we turn to Group Policy. As an example, I have a new Active Directory security group called Server Administrators. I do not want these folks to have full Domain Admin rights; that would be too extensive. Instead, I simply want to make sure that all Server Administrators can successfully RDP into any of the servers running in my environment. To accomplish this, I want to add the Server Administrators AD group into the Remote Desktop Users local group on all of my Windows Servers. When finished, any user who is joined to Server Administrators inside AD will immediately have rights to RDP into any server.

To perform this task, create a new GPO and scope it so that it applies to all servers in the environment (this is, of course, only necessary for my example—you go ahead and scope your GPO however you see fit).

Edit the new GPO and head over to Computer Configuration | Preferences | Control Panel Settings | Local Users and Groups. Then right-click in the blank space and choose New | Local Group.

As you can see here, you have the ability to create truly new groups as well, if you ever have the need to do that. What we want to do today, however, is Update the existing Remote Desktop Users group, so I am selecting that from the Group name drop-down list. There are options to rename the group if you wanted, and to delete existing members from the group if you want to ensure that your selections on this screen were the only ones remaining after the GPO finishes. I do not care so much about those extra options for this particular task, so I will simply tell it that I want the Remote Desktop Users group to be Updated to include the Server Administrators group, as you can see here:

Now when logging into one of the servers in my environment, opening the Local Users and Groups shows me that yes indeed, Server Administrator has been automatically added into the existing Remote Desktop Users local group on that server, and folks in that group have permission to RDP into it:

These Group-Policy-based local users and groups settings can also be used for managing individual user accounts. This could be useful for manipulating the password of a local account that exists on all workstations, resetting that password on all machines in one fell swoop. Or perhaps you need to create a new local user account that you want to push out to all of your devices, that is also easily done.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.226.200.16