This project describes how to use the Active Directory group policies to restrict access on domain member servers.
The needs are the following :
  • Unauthorize remote logon (RDP) for the service accounts
  • Add the service accounts to the local Administration group
  • Add specific users or groups to a specific server or server group
  • Remove the “Domain admins” group from the local administrators of the servers
You can apply this GPO on Windows 2008R2 and Windows 7 (check before if the update KB976399 is installed http://support.microsoft.com/kb/976399). If you want to use this GPO on Windows 2003, you must install the update “Group Policy Preference Client Side Extensions for Windows Server 2003 (KB943729)”  first.
The advantages of this group policy are the following :
  • you will be able to know who is authorized to connect on a specific server or server group
  • service account will not be able to remote logon on your servers
  • improve general security on your servers

 

Follow these steps :
  • all service accounts must be only members of the “Domain Users” group
  • create a group called for example “ServiceAccounts”
  • add all of your service accounts to the group “ServiceAccounts”
  • create groups for your servers. Each group can be named using the main function of these servers. For example :
    • GPO-Server-Human Resources
    • GPO-Server-Databases
    • GPO-Server-VMware
  • add the computer accounts to the corresponding groups created above. A computer account can belong to more than one group
  • create a new GPO and link it to the root of the domain or to the OU where the computer accounts are located
  • set the following parameters (you must keep “Administrators (built-in) (Order: 1)” to the first place because this preference purge the local Administrators group) :
    • Computer Configuration (Enabled)
      • Policies > Windows Settings > Security Settings > Local Policies/User Rights Assignment
Policy Setting
Allow log on locally BUILTIN\Administrators
Allow log on through Terminal Services BUILTIN\Administrators
Deny log on through Terminal Services DOMAIN\ServiceAccounts
Log on as a batch job DOMAIN\ServiceAccounts
Log on as a service DOMAIN\ServiceAccounts
      • Preferences > Control Panel Settings > Local Users and Groups
Group (Name: Administrators (built-in))
Administrators (built-in) (Order: 3)
Local Group
Action Update

Properties

Group name Administrators (built-in)
Description Administrators have complete and unrestricted access to the computer/domain
Delete all member users Disabled
Delete all member groups Disabled

Add members

DOMAIN\Group-VMware Admin Users S-1-5-21-123456789-1234567890-123456789-12345
Common
Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No

Item-level targeting: Security Group

Attribute Value
bool OR
not 0
name DOMAIN\GPO-Server-VMware
sid S-1-5-21-123456789-1234567890-123456789-22222
userContext 0
primaryGroup 0
localGroup 0

Description

VMware team

 

Administrators (built-in) (Order: 2)
Local Grouphide
Action Update

Properties

Group name Administrators (built-in)
Description Administrators have complete and unrestricted access to the computer/domain
Delete all member users Disabled
Delete all member groups Disabled

Add members

DOMAIN\Group-Database Admin Users S-1-5-21-123456789-1234567890-987456123-12345
Common
Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No

Item-level targeting: Security Group

Attribute Value
bool AND
not 0
name DOMAIN\GPO-Servers-Database
sid S-1-5-21-123456789-1234567890-123456789-55555
userContext 0
primaryGroup 0
localGroup 0

Description

Database team

 

Administrators (built-in) (Order: 1)
Local Group
Action Update

Properties

Group name Administrators (built-in)
Description Administrators have complete and unrestricted access to the computer/domain
Delete all member users Enabled
Delete all member groups Enabled

Add members

DOMAIN\ITSystemTeam S-1-5-21-123456789-1234567890-987456123-54321
DOMAIN\ServiceAccounts S-1-5-21-123456789-1234567890-987456123-98765

Remove members

DOMAIN\Domain Admins S-1-5-21-123456789-1234567890-987456123-85241
Common
Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No

Description

Default Security rights

 

Group policy – Server access restriction

Leave a Reply

Your email address will not be published.