Delegation of Privileges within your Infrastructure – Controlling Access to AD, Servers and PC’s
We just completed a project focused on:
1. Active Directory Delegation
2. Controlling Access to PC’s and Servers and Services
within a Windows 2003 environment with approximately 200 servers and 4000 users over a distributed environment. The server environment was comprised of NT 4.0, 2000 and 2003 Servers. The Desktop environment was a mix of NT 4.0, 2000 and XP clients.
To help achieve the top two goals we followed guidance and best practices outlined in the following whitepapers:
1. Best Practices for Delegating Active Directory Administration
http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
2. The Services and Service Accounts Security Planning Guide
http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/default.mspx
As part of this process it was agreed that access to member servers had to be given to a certain group of users who needed administrator rights on these servers. Another group of users also required administrator access to the PC environment which consisted of NT4.0, 2000 and XP clients.
The IT department wanted to be able to control membership of these groups with regard to being able to add and remove individuals as and when required.
We were then faced with – How to do this with minimal user disruption and also minimum effort from the IT Department.
We had two options:
1. Group Policy – Simply add in a Computer Startup Script that would add in the respective groups into the local groups on the PC’s and Servers.
There were a number of issues with this approach, firstly, it was not practical to reboot servers to pick up a startup script, it is also difficult to monitor the success of such a GPO and finally because the customer still had approximately 300 NT 4.0 pc’s and a number of NT 4.0 Servers– GPO startup scripts would not run against these.
2. The second option was to write a script that would;
a. Firstly ping and check to see if the PC/ Server was on
b. Check to see if the group you wished to add already existed
c. If not it would then add the group
d. Then create a log file in an excel spreadsheet format that would log the output of each of the above stages, therefore enabling you to monitor how many PC’s/Servers were completed or not.
The first thing we did was to see if such a script had already been written. Luckily we found a script that ticked all of the boxes above and much more. The script is available here http://www.scriptingprovip.com/Article/ArticleID/23042/23042.html in an article by Dick Lewis called Real-World Scripting: Adding a Local Group. It is an excellent script that saved us lots of time and effort not only solving the issue but also in writing such a script. To download the script you must subscribe to the article.
A sample screenshot of the report which is generated each time the script is run can be seen below:
We basically scheduled this script to run twice a day and within two days we pretty much had completed the task on all of the targeted pc’s and servers.
