BeyondTrust offers a freeware tool called the PowerBroker Privilege Discovery and Reporting Tool (or DART for short) to get you started. It will be good to have a baseline to refer to, and find any rogue or forgotten access. The first step is understanding where administrative access exists. More likely, a security initiative has prompted you to move to a least privilege model and/or better manage administrative accounts on endpoints. But if it were that easy it would already be done, and you wouldn’t need to be reading this post. This is a simple enough, and a quite accurate, statement. On the surface, it is as straight forward as saying, “Ah, users with unnecessary admin rights is bad, Jason”.
In addition, or when a particular scenario is more complex than these allow, scripts can be used to address these.īefore we get into the details, let’s discuss why you are removing admin rights in the first place.
The Local Users and Groups extension allows you to modify the local group membership without overwriting the existing groups. The other option is within Group Policy Preferences. Restricted Groups allows you to overwrite the existing local group with what you have configured in the Group Policy setting.
The first is a Group Policy extension called Restricted Groups. Fortunately, Microsoft provides two mechanisms in Group Policy to manage local group membership. If you have hundreds – or even thousands – of desktops, it is not feasible to do this manually. When embarking on a project to remove administrator rights from users, it is important to understand all of the options available for modifying local group membership on your clients. We’ve updated it with new best practice guidance. Editor’s note: This is a refresh of an older blog post on local admin privileges prior to the LAPS release.
0 kommentar(er)
