Question : Restricted Groups Best Practice

We are currently migrating all of our servers to the cloud and strenghthening our security on our servers and have a few questions.

Our Setup:

I have started to utilize Restricted Groups in Group Policy to give admin rights to groups of servers (Database servers allow DB Admins and Admins to control, Web servres allow Web Admins and Admins, etc..)

I have this set up as follows:

- Create a group policy Database Users
- Unlink Authenticated Users from group policy, link local security group Database Servers (members are database servers)
- Create local security group Database Admins (members are Database Administrator accounts)

In the Group Policy I added the Database Admins group and our company admins accounts.

We are getting to the point I either need to rethink my procedure and implement it now or keep what I am doing and add to it.

We will be having servers in multiple cities in the cloud and I want to setup group policies to allow only the local city admins to have control of these servers, specific admins (DB Admins - will be scattered nation wide), and corporate admins (who can administer everything)

If I create a group policy and pertaining local security groups for each scenario (just like the DB Admins is already) would one trump another?

What would be a good way of doing this?

If I start to implement a new way would I need to reboot the servers? I am guessing no...

Just looking for input on how we should go about this.

Answer : Restricted Groups Best Practice

Hi,

Restricted groups policies won't merge... I mean, if you create several GPOs containing restricted groups settings to control the same local group, the last applied GPO overwrites what the previous have done.

In fact, a restricted group policy force the content of a local group to match exactly what is explicitely done in the GPO, nothing more, nothing less.

So if you really want to use restricted groups to reach your goal you must ensure that for a specific local group only ONE GPO applies on each server and that GPO force the whole content of the local group.

You can use several Restricted Groups GPO to control several local groups until 2 of these GPOs never act one the same local group.

If I understood well your case you want some specific global groups to be member of Admin local group depending of the location, other specific global group if the server is member of "DB servers" computers group...
In my opinion this seems impossible to obtain by a reasonable way using restricted groups, because you woudl be force to have one GPO for each combination of location and server class.
And the more server classes you have the less it is possible because the number of combinations is exponential.

In my opinion, only scripting is able to give you a good solution. Let's imagine that:

1) you have a first GPO containing a startup script that remove all global groups in the "Administrators" and add the corporate admins global group only.
2) you have another GPO containing a startup script that add the city admins global group in the "Administrators" local group depending of the AD site (example: one GPO per AD site or only one GPO but with the script acting differently depending of the AD site).
3) you have a third GPO that add "DB admins" global group to "Administrators" local group.
4) you have a fourth GPO that add "Web admins" global group to "Administrators" local group.

Then you make things on GPO priority so that the first GPO is applied at first.
For the third GPO you use group filtering to apply GPO only if the server is member of "DB servers"
For the fourth GPO you use group filtering to apply GPO only if the server is member of "Web Servers"
The applying order between 2nd, 3rd and 4th GPOs is not important because these scripts only add new members in "Administrators" and remove nothing

Another way is to have a unique script that makes tests of memberships and acts differently depending of server membership. This simplifies the GPO structure but make the script more complicated.

The problem if you use scripting is that "startup scripts" only run once at server startup. So changes in "Administrators" groups will only apply or re-apply at reboot.

Have a good day.

Random Solutions

Installing a new CPU and adding more RAM to PC

What is and how does HP uniform Drivers work?

Exchange 2007 pop3

command line to open Network Connections in Windows XP

Windows Server®2008SP2, Standard Edition,x86 or 64 bit for terminal server?

coldfusion cfinvoke error java.net.MalformedURLException: For input string:

CRM window is blocked after running caspol.exe

Organize exchange emails on SBS2008 - Multiple domains, set for specific users

cfapplication sessionTimeout question