Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #1 
There are built in Security Groups in AD.

Example:
Distributed COM Users
Server Operators
Remote Management Users


What I would like to know is,,,

If I have a Domain Account that needs to have Local Admin Access to every Windows Server in that domain, what (if possible) Built In Accounts would I be able to add that account to, to grant this access?

I want them to have Local Admin to every server without having Domain Admin Rights.

Group Policy is not an option...

This is for a Discovery, Monitoring & Auditing tool that will scan the OS, Hardware and all Applications. 

This tool is being used for Windows, Linux, ESX and soon Networking devices.


If something like SQL is is identified a separate SQL account will be used to scan those instances.

Suggestions..?

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 246
Reply with quote  #2 
Tim,

why is adding that account to local Administrators via GPO not an option? Because IIRC, none of those default groups will actually give you what you need.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #3 
Quote:
Originally Posted by cj_berlin
Tim,

why is adding that account to local Administrators via GPO not an option? Because IIRC, none of those default groups will actually give you what you need.


Long story but getting anything done - correctly - GPO takes up to a year IF someone has not decided to deny it which means I have to start all over again.  Working with the other side of the AD team it was suggested that we try this since they could grant the access to the built in groups (Test Domain) and if that was successful I could go that route in Prod but I had never heard of this being done before...

Right now the accounts are Domain Admins which is driving me crazy...

Restricted Groups would be my first choice, if this is not possible I will start going down that road again for the new accounts that need to be added.



__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 246
Reply with quote  #4 
Just thinking aloud, but can't you use whatever software deployment solution you have in place to stick a new AD group into local Administrators on every server (as in "NET LOCALGROUP...") thus bypassing the same functionality in GPO?
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #5 
Quote:
Originally Posted by cj_berlin
Just thinking aloud, but can't you use whatever software deployment solution you have in place to stick a new AD group into local Administrators on every server (as in "NET LOCALGROUP...") thus bypassing the same functionality in GPO?


In one of our domains we have over 20K WIN Servers alone.  I have over 15 Forest, 100s of Domains and 5 DMZs that I can trying to access so the easiest, cleanest, safest & simplest to audit, control and maintain would be my choice.

It was suggested adding to the Builtin \ Administrators group as well which I will try and when if that doesn't work I will start pushing for GP again OR adding the accounts to one of the existing Security Groups that are already in place.

Thanks for the sanity check, like I said I had never heard of doing it this way so needed to check.



__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.