Developing Group Policies that Affect Administration

Developing Group Policies that Affect Administration

As mentioned earlier in the chapter, Active Directory group policy objects (GPOs) can be leveraged to manage and maintain a company's administration policies. This section will outline some industry best practices for controlling administrative delegation through GPOs. For more detailed information on using Group Policies, see Chapter 6.

Linking Group Policies to the Appropriate Containers

Because policies that apply to administrative access within Active Directory are directly related to Domain Controllers, the scope of your group policy objects should be applied to the Domain Controllers container. You can edit the existing Default Domain Controllers policy or create additional GPOs and link them to the Domain Controllers container. You can also use the Default Domain Controller Security Settings snap-in.

Enforcing a Complex Administrator Password via Group Policy

Many of the policy settings available for managing administration can be found by navigating through the GPO Editor to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. For example, in Figure 4.7, a policy is set to rename the local administrator password, which could be a standard policy setting applied to all file servers in a particular domain.

Restricting Administrative Group Memberships

To enforce group membership, like the static membership of the Domain Admins group, set a Restricted Groups policy. When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. To create a Restricted Groups policy, perform the following steps:

1. In the Group Policy Editor, navigate to Computer Configuration\Windows Settings\Security Settings\Restricted Groups as shown in Figure 4.8.

   Figure 4.8. Creating a Restricted Groups policy.

   

2. Right-click Restricted Groups, and select Add Group. Type in the name of the group or click Browse for Group.

3. Click the Add button, and then type the names of the security principles that will belong to this group. Click OK.

4. Click OK again to finalize the process.

Delegating Rights with Group Policies

You can also use group policies to delegate rights not available in the Delegation of Control Wizard but required for some administrative tasks. These settings are found in the GPO Editor by navigating to Computer Configuration\Windows Settings\Security Settings\Local Policies. For example, standard user accounts do not by default have the right to log on to a Domain Controller locally. Although most maintenance tasks on Domain Controllers can be accomplished without a local logon, if a particular maintenance task requires a local logon, you could grant the right to a group by performing the following configuration on the Default Domain Controller GPO:

1. In the Group Policy Object Editor, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignments.

2. In the right-hand pane, double-click Allow Log On Locally.

3. Select the Define these Policy Settings box.

4. Click the Add User or Group button.

5. Type the Group name and click OK.

6. Click OK again to finalize the change.