Workstation Security Via Policy

[Rob]

I'd like to make some domain users administrators on their local PC. Problem
being this creates some security issues.

I've created a group on the domain called "Local Admins". I then pushed out
a policy that adds "Local Admins" to the administrators group on the local
pc of this particular OU. The members of the "local Admins" group are now
local pc administrators but they are also allowed administrator access to
other workstations within the OU.

My attempt to fix this was adding the "Local Admins" group to the "Deny
Access to this computer from the network" policy under Computer
Configuration > Windows Settings > Security Settings > Local Policies > User
Rights Assignment. This blocks the "Local Admins" members from browsing
other workstations but it also prevents the members of these groups from
sharing printers etc. I want to give the users administrator rights but I
don't want them accessing other peoples pc's. The only exception being
access to shared printers or documents. Even if I give the member of the
"Local Admins" group full rights to the shared printer they get an access
denied screen due to the "Deny Access to this computer from the network"
policy.

Is there an easier way of going about this?

Please HELP! -Rob

 

[Oli Restorick [MVP]]

Another approach, not necessarily better, but different, is to create a new
OU and move those workstations into it. Then apply a policy that adds
"interactive" to the local administrators group. That way, anyone logging
in locally gets to be an admin.

Of course, other users can now go to that PC and log in locally. You could,
however, do this AND modify the "Log on locally" right for those machines.
Be careful, though, otherwise you could end up with a bunch of machines that
nobody can log into.

Regards

Oli

 

[Steven L Umbach]

You may want to add the individual users domain account to the local administrators
group on just their computer which will not be as easy but will improve security. ---
Steve