What is the best way to ensure that only approved users and domain groups have membership in the local Administrators group on each desktop?
Question
What is the best way to ensure that only approved users and domain groups have membership in the local Administrators group on each desktop?
Solution 1
-
Define a Policy: The first step is to define a policy that only approved users and domain groups should have membership in the local Administrators group. This policy should be communicated to all relevant parties.
-
Use Group Policy: You can use Group Policy to manage local group membership. This can be done by creating a Group Policy Object (GPO) and linking it to the appropriate Organizational Unit (OU) that contains the desktops.
-
Configure Restricted Groups: Within the GPO, you can configure Restricted Groups. This allows you to specify which users or groups should be members of the local Administrators group.
-
Apply the GPO: Once the GPO is configured, it needs to be applied. This can be done by running the "gpupdate /force" command on the desktops or by waiting for the Group Policy refresh interval.
-
Regular Auditing: Regular audits should be conducted to ensure that the policy is being adhered to. This can be done manually or by using tools that can automate the process.
-
Remediation: If any unauthorized users or groups are found during the audit, they should be removed from the local Administrators group and the incident should be investigated to prevent future occurrences.
-
Training and Awareness: Regular training and awareness sessions should be conducted to ensure that all users are aware of the policy and the importance of adhering to it.
Solution 2
-
Define a Policy: The first step is to define a policy that only approved users and domain groups should have membership in the local Administrators group. This policy should be clearly communicated to all relevant parties.
-
Use Group Policy: You can use Group Policy to manage local group membership. This can be done by creating a Group Policy Object (GPO) and linking it to the appropriate Organizational Unit (OU) that contains the desktops.
-
Restricted Groups: Within the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups. Here, you can add the local Administrators group and define which users or groups should be members.
Similar Questions
You want to ensure that a particular GPO is applied to a specific group of computers regardless of their location in the Active Directory hierarchy. Which GPO filtering method should you use?
You are a network administrator responsible for managing GPOs in a Windows domain environment. You need to ensure that a specific GPO is applied to a group of users, but it should not affect the computers they use. Which setting should you configure in the GPO?1.0 MarksUser ConfigurationSecurity FilteringGroup Policy InheritanceWMI FilteringComputer Configuration
6. Which of the following group is created on Windows domain controller computers to allow members to administer domain controllers, but does not allow members to administer user and group accounts?*(a) Domain Operators(b) Server Operators(c) Account Operators(d) Administrators
An intern has started working in the support group. One duty is to set local policy for passwords on the workstations. What tool would be best to use?Select one:system administrationsecpol.mscgrpol.mscpassword policyaccount policy
Which of the following can help you ensure that that only authorized users are accessing your organization's data and applications, and that those users are doing so from secure devices and locations?answerMicrosoft Intune user listsMicrosoft Intune Windows Update for BusinessMicrosoft Intune conditional access policiesMicrosoft Intune AutoPilot
Upgrade your grade with Knowee
Get personalized homework help. Review tough concepts in more detail, or go deeper into your topic by exploring other relevant questions.