This project describes how to use the Active Directory group policies to restrict access on domain member servers.
The needs are the following :
- Unauthorize remote logon (RDP) for the service accounts
- Add the service accounts to the local Administration group
- Add specific users or groups to a specific server or server group
- Remove the “Domain admins” group from the local administrators of the servers
You can apply this GPO on Windows 2008R2 and Windows 7 (check before if the update KB976399 is installed http://support.microsoft.com/kb/976399). If you want to use this GPO on Windows 2003, you must install the update “Group Policy Preference Client Side Extensions for Windows Server 2003 (KB943729)” first.
The advantages of this group policy are the following :
- you will be able to know who is authorized to connect on a specific server or server group
- service account will not be able to remote logon on your servers
- improve general security on your servers
Follow these steps :
- all service accounts must be only members of the “Domain Users” group
- create a group called for example “ServiceAccounts”
- add all of your service accounts to the group “ServiceAccounts”
- create groups for your servers. Each group can be named using the main function of these servers. For example :
- GPO-Server-Human Resources
- GPO-Server-Databases
- GPO-Server-VMware
- …
- add the computer accounts to the corresponding groups created above. A computer account can belong to more than one group
- create a new GPO and link it to the root of the domain or to the OU where the computer accounts are located
- set the following parameters (you must keep “Administrators (built-in) (Order: 1)” to the first place because this preference purge the local Administrators group) :
- Computer Configuration (Enabled)
- Policies > Windows Settings > Security Settings > Local Policies/User Rights Assignment
- Computer Configuration (Enabled)
| Policy | Setting |
|---|---|
| Allow log on locally | BUILTIN\Administrators |
| Allow log on through Terminal Services | BUILTIN\Administrators |
| Deny log on through Terminal Services | DOMAIN\ServiceAccounts |
| Log on as a batch job | DOMAIN\ServiceAccounts |
| Log on as a service | DOMAIN\ServiceAccounts |
- Preferences > Control Panel Settings > Local Users and Groups
Group (Name: Administrators (built-in))
Administrators (built-in) (Order: 3)
Local Group
| Action | Update |
Properties
| Group name | Administrators (built-in) |
| Description | Administrators have complete and unrestricted access to the computer/domain |
| Delete all member users | Disabled |
| Delete all member groups | Disabled |
Add members
| DOMAIN\Group-VMware Admin Users | S-1-5-21-123456789-1234567890-123456789-12345 |
Common
Options
| Stop processing items on this extension if an error occurs on this item | No |
| Remove this item when it is no longer applied | No |
| Apply once and do not reapply | No |
Item-level targeting: Security Group
| Attribute | Value |
|---|---|
| bool | OR |
| not | 0 |
| name | DOMAIN\GPO-Server-VMware |
| sid | S-1-5-21-123456789-1234567890-123456789-22222 |
| userContext | 0 |
| primaryGroup | 0 |
| localGroup | 0 |
Description
| VMware team |
Administrators (built-in) (Order: 2)
Local Grouphide
| Action | Update |
Properties
| Group name | Administrators (built-in) |
| Description | Administrators have complete and unrestricted access to the computer/domain |
| Delete all member users | Disabled |
| Delete all member groups | Disabled |
Add members
| DOMAIN\Group-Database Admin Users | S-1-5-21-123456789-1234567890-987456123-12345 |
Common
Options
| Stop processing items on this extension if an error occurs on this item | No |
| Remove this item when it is no longer applied | No |
| Apply once and do not reapply | No |
Item-level targeting: Security Group
| Attribute | Value |
|---|---|
| bool | AND |
| not | 0 |
| name | DOMAIN\GPO-Servers-Database |
| sid | S-1-5-21-123456789-1234567890-123456789-55555 |
| userContext | 0 |
| primaryGroup | 0 |
| localGroup | 0 |
Description
| Database team |
Administrators (built-in) (Order: 1)
Local Group
| Action | Update |
Properties
| Group name | Administrators (built-in) |
| Description | Administrators have complete and unrestricted access to the computer/domain |
| Delete all member users | Enabled |
| Delete all member groups | Enabled |
Add members
| DOMAIN\ITSystemTeam | S-1-5-21-123456789-1234567890-987456123-54321 |
| DOMAIN\ServiceAccounts | S-1-5-21-123456789-1234567890-987456123-98765 |
Remove members
| DOMAIN\Domain Admins | S-1-5-21-123456789-1234567890-987456123-85241 |
Common
Options
| Stop processing items on this extension if an error occurs on this item | No |
| Remove this item when it is no longer applied | No |
| Apply once and do not reapply | No |
Description
| Default Security rights |
Group policy – Server access restriction