Local Administrators Group and Compliance Settings

Local Administrators Group and Compliance Settings
Rate this post

Hi All,

how do you manage the local administrators group? Many companies use the Restricted Group in the Active Directory/GPO to do it, but unfortunately, this settings is not an “add” rule, it is a replace.

What i mean by this is simple: Imagine the scenario where you have 3 groups that always need be member of the admin group (Group1, Group2 and Group3). It is simple, you create a group policy and add this group of users to the restricted group. Now, you have few servers that need to have a 4th group. For server1 and server2, you need to add the group4 and for server3 and server4, you need to add group5. You can think that it is easy, just create a restricted group for those 2 set of servers adding the group4 or group5…

in this scenario, once the 2nd GPO is applied, it will replace the group membership of the local admins…in this case, the server1 and server2 will only have the group4 as member of the local admin.

For this, it is not a problem, you can easily add the group1, group2 and group3 to list and will not have a problem and it is true…

Now, let’s increase the difficulty of this. On every single workstation, group1, group2 and group3 needs be member of the local admin group plus the primary user (that is defined on the SCCM or another database). lets imagine an medium environment with 5000 clients, 500 servers. How many GPO’s you’ll need? well…this is crazy isn’t it?

But Compliance Settings (or DCM for the SCCM 2007 people :)) is here to help you out. I’ve created 2 powershell scripts that help you to achieve this.

Discovery script:

$useraffinity = gwmi -Namespace root\ccm\policy\machine -Class ccm_useraffinity
$users = “administrator”,”DOMAIN\Domain Admins”,”DOMAIN\myadminuser”
foreach ($useraff in $useraffinity)
{ $users += $useraff.ConsoleUser }

$members = net localgroup administrators | where {$_ -AND $_ -notmatch “command completed successfully”} | select -skip 4
New-Object PSObject -Property @{
Computername = $env:COMPUTERNAME
Group = “Administrators”
Members=$members
} | out-null

$adminusers = $true
foreach ($useradm in $users)
{
if (!($members -contains $useradm))
{
$adminusers = $false
break;
}
}

foreach ($useradm in $members)
{
if (!($users -contains $useradm))
{
$adminusers = $false
break;
}
}
write-host $adminusers

This script will validate if the users/groups administrators, Domain\Domain Admins, Domain\another_group are member of the group as well as the primary user defined on the SCCM as well as if there are any user that should not be there.
The following script, will remediate non-compliant machines (it means, will add users that should be there and remove users that should not be there)

$useraffinity = gwmi -Namespace root\ccm\policy\machine -Class ccm_useraffinity

$users = “rfladmin”,”RFLSYSTEMS\Domain Admins”,”RFLSYSTEMS\svc_sccmpush”

foreach ($useraff in $useraffinity) { $users += $useraff.ConsoleUser }

 

$domain = $env:USERDOMAIN

$adsi = [ADSI]”WinNT://./administrators,group”

 

$members = net localgroup administrators | where {$_ -AND $_ -notmatch “command completed successfully”} | select -skip 4

New-Object PSObject -Property @{

 Computername = $env:COMPUTERNAME

 Group = “Administrators”

 Members=$members

} | out-null

 

foreach ($useradm in $users)

{

    if ((([Array]$members) -contains $useradm) -eq $false)

    {

        $adsi.Add(“WinNT://$Domain/” + ($useradm -Replace (“$($domain)\\”,””)) + “,group”)

    }

}

 

foreach ($useradm in $members)

    if ((([Array]$users) -contains $useradm) -eq $false)

    {

        try { $adsi.Remove(“WinNT://$Domain/” + ($useradm -Replace (“$($domain)\\”,””))) } 

catch { $adsi.Remove(“WinNT://$useradm”) }

    }

}

the remediation script will add any user that need as well as remove any user that should not be there 🙂

now, create a powershell script CI and add this to a baseline and deploy to a device collection..

in the scenario i’ve described, instead of having lots of  Group Policies objects, you’ll need only 1 script 🙂

 

Tags:

Comments are closed.
%d bloggers like this: