If you have a long list of users with administrative rights, there’s a good chance you’ve offered excessive amount of privilege to accounts that don’t need them. Your IT staff has no control over local Administrators or their desktops. This can lead to privilege abuse, which is one of the leading causes of data leakage, insider threats, and downtime of systems and applications essential for business operations.
There are three steps you can take to manage your local Administrators group to provide complete security.
Step 1. Remove the domain user account
The first step to secure the local Adinistrators group is to remove the domain user account from the local Administrators group. But before you do this, you need to consider the impact of removing administrator privileges from the user. There may be several business applications they need admin privileges to access. There may also be system tasks that the user can’t run without the required admin privileges. On top of that, the user will not be able to install applications, as this requires administrator privileges.
The perfect solution is to use Group Policy Preferences (GPP) to remove domain user accounts. Navigate to User Configuration > Preferences > Control Panel Settings > Local Users and Groups > New > Local Group to open up the New Local Group Properties dialog box as seen below in Figure 1. By selecting Remove the current user, you can affect all user accounts that are in the scope of management of the GPO.
Figure 1. Local Group GPP allows you to control local Administrators group membership.
Step 2. Add the Domain Admins global group and local Administrator account
The next thing you need to do is ensure the Domain Admins global group and the local Administrator account are both added to the local Administrators group in every desktop.
Many organizations use Restricted Group policy to do this, but the problem with doing this is that Restricted Group policy will overwrite the existing local group membership and set the membership to whatever you configured last. This means when the policy refreshes, the local group membership will adhere to what is defined in the Restricted Group. Ideally, you’re adhering to a least-privilege model and most of your users will not have access to manage the local Administrators group.
By using the Local Users and Groups policy mentioned in Step 1, you can not only remove the current logged on user, but also add in the two key accounts that will ensure you have the correct administrative privileges set on each desktop as shown in Figure 2.
Figure 2. Managing the local Administrators group membership is easy.
3. Remove specific accounts
Another important step in securing the local Administrators group is to ensure that only the necessary accounts have membership. Often, you may have added certain groups from the domain to the local Administrators group to perform tasks or complete projects. Once these groups are no longer needed in the local Administrators group, you can remove them using the new Local Users and Groups policy.
In the New Local Group Properties window shown in Figure 2, you can also include accounts in the policy that need to be removed. Select the Remove from this group option when you add the accounts to the policy as shown in Figure 3.
Figure 3. Removing a specific user or group from the local Administrators group.
You will now have complete control over the membership of the local Administrators group, ensuring optimal security.
Managing Group Policy using just the native AD group policy management tools can have administrators toggling between multiple consoles, which is mundane and time-consuming. ADManager Plus is a web-based Active Directory management and reporting tool that helps manage Group Policy Objects (GPOs) for multiple domains in just a few clicks. It also provides pre-built GPO reports that swiftly fetch GPO-related information.
Summary
IT teams have no control over a desktop when the user has local administrative privileges. However, it’s important that you take back control of desktops as well as secure the local Administrators group, which you can accomplish using Group Policy Preferences. Using the native tools provided by Active Directory is difficult and time-consuming. ADManager Plus is a comprehensive solution that helps you manage GPOs in just a few clicks. Download the latest version here for free.
