Thursday, March 24, 2005

Keeping the admins rooted...

One of the challenges I had to deal with in my work was to keep the standard operating environment for our computers as consistent as possible. This means having a common baseline for new client builds as far as security restrictions, installed apps, and look-and-feel are concerned. However, users who are local admins of their computers (most of whom are not aware of security threats, or just simply choose to ignore them) make keeping the SOE homogenous a pain in the butt.

For example, being local admins, these users can remove the default local administrators (domain admins, OU admins, etc.) defined in the SOE and practically make their computers inaccessible to these groups. This could easily be circumvented via a domain-level (or OU-level) startup script which, running under system privileges, can do virtually anything (like net localgroup administrators MyDomain\MyAccount /add, for example). However, this was a no-no as far as the AD team is concerned.

My next suggestion was to create a service (btw, I love doing this on my test PC with instsrv and srvany to automate a lot of stuff, like opening up a cmd shell with root rights --- yes, i always login as non-root!) but this too was rebuffed.

In the end, I had to use an existing service account which runs on all clients (somewhat similar to an SMS agent, if you are familiar with MS SMS). I use this to execute the following script:

Const conForReading = 1
Const HKEY_LOCAL_MACHINE = &H80000002
Const strDomain = "MyDomain"
Set objNetwork = CreateObject("WScript.Network")

Set WSHNetwork = WScript.CreateObject("WScript.Network")
Set oFS = Wscript.CreateObject("Scripting.FileSystemObject")
Set oInputFile = oFS.OpenTextFile(file1, conForReading)

strComputer = objNetwork.ComputerName

On Error Resume Next

While oInputFile.AtEndOfStream <> True
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",group")

The script reads a text file containing a list of the default local admins and adds them to the local administrators group when the user logs in. It ignores any error returned.


Post a Comment

<< Home