Restricted Groups – Locks down workstations and servers too much

Posted on

Restricted Groups – Locks down workstations and servers too much – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about windows, group-policy, domain, users, .

I am a developer not a sysadmin but I was recently asked to lock down the workstations – in terms of stopping users from adding software. I followed the online articles on adding domain admins and specific users to the restricted group category in the GPO and now all hell has broken looose. I have users that cannot change the time, access mydocuments and server services that cannot start. The servers are most puzzling as the services are set to run with accounts that are members of domain admins.

I am now faced with regressing the GPO policy which does not seem to have a long-term affect and then address the issue all over again.

Solution :

Ok, you need to approach this carefully rather than just leap in. You wouldn’t just sit down and code without thinking of what you were trying to achieve, and nor would you roll out untested code into an enterprise environment? This is no different. Once you’ve removed/reverted all the changes you’ve made…

Firstly, do not change the default domain policy. About the only thing you might want to change here is password security settings (and I’m sure someone will be along shortly to tell you I’m wrong there too and you shouldn’t do that either…).

I suggest that you don’t lock things down unless you really need them locked down. You need to think about what the exact problem is that you have been asked to solve when you were told to “lock down the workstations” and concentrate just on things that will help solve that problem rather than disabling everything in site; which, forgive me, it sounds like you’ve done. If you’re unsure what the objectives are for “locking down the workstations” then get clarification… aside from anything else people in different jobs need different levels of “openness” – there’s a big difference between what’s appropriate for a sales agent in a big company who only ever runs a web browser, an email client and a bespoke sales package and a developer, for example.

Create a OU structure that reflects the business, along the lines where it might be logical to group machines and possibly users too. Think and plan what you are trying to achieve, how it might apply to different groups of computers and of users, think about any “exceptions”. Take some time doing this.

Set GPOs at these levels and use separate GPOs for user settings and machine settings – e.g. you might have a structure like this

My Org

……. Sales

……. Administrative

……. IT

…………. Developers

…………. Network Admins

Yeah I know, lousy diagram but understandable I hope?

So you might apply settings that you want everyone to have at the “My Org” level, settings you want everyone in the IT function to have at the “IT” level, and at the “Sales” and “Developers” level you might have a few machine GPOs that install software used on machines in that department.

Don’t over-complicate things; the structure I outline above is clearly overkill for a small business with 8 people in it, 4 of whom are all developers and which doesn’t have a separate “network admins” function… but it gives an idea of how things might be reasonably laid out.

With things set up the way you want, create a test user and a test computer (virtualisation is your friend) to place in various OUs so you can test how things work. Don’t move real users and real computers into this structure until you understand how the settings work and interact with each other and until you’re reasonably sure you’ve got some good baseline settings.

Lastly, document everything you do. GPOs are somewhat self documenting, but it’s still wise to have notes.

Leave a Reply

Your email address will not be published.