Local Administrators Group and Compliance Settings

Local Administrators Group and Compliance Settings

Hi All,

how do you manage the local administrators group? Many companies use the Restricted Group in the Active Directory/GPO to do it, but unfortunately, this settings is not an “add” rule, it is a replace.

What i mean by this is simple: Imagine the scenario where you have 3 groups that always need be member of the admin group (Group1, Group2 and Group3). It is simple, you create a group policy and add this group of users to the restricted group. Now, you have few servers that need to have a 4th group. For server1 and server2, you need to add the group4 and for server3 and server4, you need to add group5. You can think that it is easy, just create a restricted group for those 2 set of servers adding the group4 or group5…

in this scenario, once the 2nd GPO is applied, it will replace the group membership of the local admins…in this case, the server1 and server2 will only have the group4 as member of the local admin.

For this, it is not a problem, you can easily add the group1, group2 and group3 to list and will not have a problem and it is true…

Now, let’s increase the difficulty of this. On every single workstation, group1, group2 and group3 needs be member of the local admin group plus the primary user (that is defined on the SCCM or another database). lets imagine an medium environment with 5000 clients, 500 servers. How many GPO’s you’ll need? well…this is crazy isn’t it?

But Compliance Settings (or DCM for the SCCM 2007 people :)) is here to help you out. I’ve created 2 powershell scripts that help you to achieve this.

Discovery script:

$useraffinity = gwmi -Namespace root\ccm\policy\machine -Class ccm_useraffinity
$users = “administrator”,”DOMAIN\Domain Admins”,”DOMAIN\myadminuser”
foreach ($useraff in $useraffinity)
{ $users += $useraff.ConsoleUser }

$members = net localgroup administrators | where {$_ -AND $_ -notmatch “command completed successfully”} | select -skip 4
New-Object PSObject -Property @{
Computername = $env:COMPUTERNAME
Group = “Administrators”
Members=$members
} | out-null

$adminusers = $true
foreach ($useradm in $users)
{
if (!($members -contains $useradm))
{
$adminusers = $false
break;
}
}

foreach ($useradm in $members)
{
if (!($users -contains $useradm))
{
$adminusers = $false
break;
}
}
write-host $adminusers

This script will validate if the users/groups administrators, Domain\Domain Admins, Domain\another_group are member of the group as well as the primary user defined on the SCCM as well as if there are any user that should not be there.
The following script, will remediate non-compliant machines (it means, will add users that should be there and remove users that should not be there)

$useraffinity = gwmi -Namespace root\ccm\policy\machine -Class ccm_useraffinity

$users = “rfladmin”,”RFLSYSTEMS\Domain Admins”,”RFLSYSTEMS\svc_sccmpush”

foreach ($useraff in $useraffinity) { $users += $useraff.ConsoleUser }

 

$domain = $env:USERDOMAIN

$adsi = [ADSI]”WinNT://./administrators,group”

 

$members = net localgroup administrators | where {$_ -AND $_ -notmatch “command completed successfully”} | select -skip 4

New-Object PSObject -Property @{

 Computername = $env:COMPUTERNAME

 Group = “Administrators”

 Members=$members

} | out-null

 

foreach ($useradm in $users)

{

    if ((([Array]$members) -contains $useradm) -eq $false)

    {

        $adsi.Add(“WinNT://$Domain/” + ($useradm -Replace (“$($domain)\\”,””)) + “,group”)

    }

}

 

foreach ($useradm in $members)

    if ((([Array]$users) -contains $useradm) -eq $false)

    {

        try { $adsi.Remove(“WinNT://$Domain/” + ($useradm -Replace (“$($domain)\\”,””))) } 

catch { $adsi.Remove(“WinNT://$useradm”) }

    }

}

the remediation script will add any user that need as well as remove any user that should not be there 🙂

now, create a powershell script CI and add this to a baseline and deploy to a device collection..

in the scenario i’ve described, instead of having lots of  Group Policies objects, you’ll need only 1 script 🙂

 

About

Raphael is a 9 times Microsoft MVP with over 20 years of experience in IT, in which 13 years have been dedicated to System Center and Automation. His extended experience has been developed through several IT roles, from first-line support to principal consultant, towards a wide range of clients and sectors. One of the four MVPs in Enterprise Client Management in the UK, Raphael holds more than 30 Microsoft certifications and is an MCT (Microsoft Certified Trainer). Since 2008, Raphael has been providing Microsoft trainings from basic to advanced levels in several categories. Throughout his career, Raphael has joined as speaker in well-known events such as TechEd and Gartner Security Risk Management. He also organised community events and lectured around the world, sharing best practices and knowledge within the industry. Bilingual in English and Portuguese, Raphael has authored diverse articles published in Microsoft's TechEd, served as the editor-in-chief of a magazine focused on System Center in Brazil and wrote two books: "Understanding System Center 2012 SP1 Configuration Manager: The walkthrough book" and "System Center 2012 R2 Configuration Manager: Automation from Zero to Hero".

Tagged with: , , , ,