6

Context: I am a new junior sysadmin and I have inherited a small office workgroup of about 12 windows machines, production and backup fileservers, and a sql server. All user accounts on the fileserver are members of the Administrators group. I realize this creates a vulnerability. Additionally the brass would like to have certain directories on the fileserver off limits to the general users.

How can I remove my users from Administrators group, and get them into two tiers of regular accounts and avoid inconvenience, production downtime, etc.?

I'm all for automation if feasible, so I'm not scared of scripting in .bat files or powershell, although my powershell is rusty and my .bat scripting is hacky.

lutze
  • 97
  • 3
  • 8

2 Answers2

12

You should set up a domain.

  • Seriously. I wouldn't want to manage 3 Windows computers without a domain (Active Directory), let alone twelve.
  • If the brass wants to limit the access levels on certain directories, the only way to do so in a manageable fashion is with Active Directory, even for "only 12" machines/users.
  • Best option for you, personally, as well. "Managed a bunch of workgroup computers" is a pretty crap line in the resume. "Created, configured and managed a new Windows Active directory domain for [company]" is a pretty good item on the resume, by contrast.

Assuming you can't set up a domain (and Server 2003), my preference would be for psexec, which is part of the SysInternals Suite to make the remote connections, and then the NET USER and NET GROUP commands to do the actual adding. This will allow you to make the changes without knocking people off their computers, like below.

  1. Download the SysInternals suite.
  2. Open up a command line (cmd.exe)
  3. Connect to the computer you want to make the changes on
    • psexec \\thecomputeryouwanttomakechangeson\ cmd
  4. Execute the NET USER or NET GROUP command desired.
HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • 2
    +1, even though I answered the question as "without AD." At one point I had 30+ servers without AD, so I feel the OP's pain. – Katherine Villyard Feb 11 '14 at 21:45
  • 2
    @KatherineVillyard Yeah, I saw and gave you some upvote-love accordingly. Of course, the second part of my answer also includes information on how to do it without AD, but I wouldn't be able to respect myself in the morning if I didn't include the right way to do it first. :) – HopelessN00b Feb 11 '14 at 21:52
  • +1, I've been dealing with the AD question, and most of my lurking seemed to say that it wasn't worth the additional costs and overhead for a small office. Is there a lightweight way to deploy AD that I've missed? I'm assuming you would need the hardware for a DC and a backup DC, plus licensing. Thanks and good answer. – lutze Feb 11 '14 at 22:10
  • 3
    @lutze though you should avoid it if you can, the DC role can usually be on the same system providing other services. A basic file server usually doesn't have any problems with also being a DC for example. If you are licensed for correctly Windows Server you should already be licensed for usage of a Domain. – Zoredache Feb 11 '14 at 22:20
  • 2
    @lutze as Zordache beat me to saying, you can run a domain controller (and thus, have a domain) on any copy of Windows Server. Doing it right, however, with a dedicated server for a Domain Controller and a secondary DC to keep you out of hell if the first one fails, is where the additional costs come into play, and where a lot of smaller shops decide it's not worth the money. (Even though it might be, when you consider the cost of technical staff, but I digress.) – HopelessN00b Feb 11 '14 at 22:24
7

You can get the list of what users are currently in the Administrators group with:

net localgroup administrators > userlist.txt

You can then split the users from that output into tier1 and tier2 lists and loop through the lists.

$tier1file="c:\path\to\tier1users.txt" 
$tier2file="c:\path\to\tier2users.txt"

foreach ($user in get-content $tier1file)
{
    net localgroup administrators $user /del
    net localgroup tier1 $user /add
}

foreach ($user in get-content $tier2file)
{
    net localgroup administrators $user /del
    net localgroup tier2 $user /add
}

Or something like that.

If all machines are set up identically you could probably get fancier than that, but machines without AD are frequently not identical.

Katherine Villyard
  • 18,550
  • 4
  • 37
  • 59
  • 2
    I think the issue here isn't necessarily splitting out the users into groups, but making sure they have the necessary rights on the file server during this transition...which requires knowing where the users need access at that point and assigning the share/ntfs perms accordingly. But the OP could easily do this over a weekend with only 12 users to contend with. – TheCleaner Feb 11 '14 at 21:51
  • 1
    Fair enough. I was more focused on the "kick them out of administrators" part of the question. :) – Katherine Villyard Feb 11 '14 at 21:55
  • 2
    @TheCleaner For that matter, assigning NTFS permissions on a fileserver can be done during the day, without [unwanted] disruption. I do it all the time, and only get complaints when I make a mistake and accidentally deny access to the wrong location or users... but that's something that will cause problems regardless of whether you do it off-hours or not. The only part of the question where there's a worry of disrupting the users is logging into workstations to change group memberships, if you have to use the GUI on a client OS that won't handle concurrent RDP sessions. – HopelessN00b Feb 11 '14 at 22:37