dcsimg

How to Implement Restricted Groups in Windows NT

By Marcin Policht (Send Email)
Posted Mar 24, 2003


Windows 2000 offers a feature called Restricted Groups, applied via Security Settings in Group Policies, which allows to control group membership, i.e. restrict it to specific user accounts (and, in addition, restrict the group membership in other groups). Unfortunately, this feature is not available in Windows NT 4.0. However, with some extra scripting and use of native Windows NT Schedule service you can get closer to being able to control membership of highly sensitive, from security standpoint, groups (e.g. Domain Admins for your account domain).

Windows 2000 offers a feature called Restricted Groups, applied via Security Settings in Group Policies, which allows to control group membership, i.e. restrict it to specific user accounts (and, in addition, restrict the group membership in other groups)...

You will need to create a list of user accounts which are supposed to be included in the restricted group. I called this file Restricted.txt and typed accounts in separate lines.

In this script, I'm using VBScript with Windows Script Host and ADSI. The script uses ADSI to read the list of current user accounts in the monitored group, which means that NT machine on which script runs will need to have ADSI installed. For the installation files, check http://www.microsoft.com/ntserver/nts/downloads/other/adsi25/. You'll also need WSH downloadable from http://msdn.microsoft.com/library/default.asp?url=/downloads/list/webdev.asp

The script reads the content of the file RestrictedList.txt, which contains the list of users which are supposed to be included in the Restricted Group. This list is compared to the actual group membership, checked via ADSI using GetObject call. 
In case of discrepancy between the two, the intruders are removed using ADSI Remove method, and this fact is logged in a text file with appropriate timestamp. 

This is a trimmed version of the script, without error checking, so make sure all your files are in place.

On Error Resume Next
Const FOR_READING = 1
Const FOR_WRITING = 2
Const FOR_APPENDING = 8
DomainString = "MyDomainName"
		'*********** your domain name here ************
GroupString = "Restricted Group"
		'*********** name of restricted group ************
RLFileName = "RestrictedList.txt"
		'*********** file containing the restricted group userlist ************
RemFileName = "RemList.txt"
		'*********** file containing the list of users removed from the restricted group (for logging) ************
strList = ""
Set GroupObj = GetObject("WinNT://" & DomainString & "/" & GroupString)
		'*********** get the Group object for restricted group from your domain
Set WSHShell = CreateObject("WScript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
For each UserObj in GroupObj.Members
	Found = 0
	Set RLFile=FSO.OpenTextFile(RLFileName, FOR_READING, True) 
	Do While (Found = 0) and (Not RLFile.AtEndOfStream)
		strLine = RLFile.ReadLine
		If StrComp (strLine,UserObj.Name,1) = 0 Then
			Found = 1
		End If	
	Loop
	If Found = 0 Then
		'************ the user account should not be in Restricted group *************
		strList = strList + UserObj.Name + vbNewLine
		GroupObj.Remove ("WinNT://" & DomainString & "/" & UserObj.Name)
		'************ remove the user from the group *************
	End If
	RLFile.Close
Next
If FSO.FileExists(RemFileName) Then
	Set RemFile = FSO.OpenTextFile(RemFileName, FOR_APPENDING, True)
Else
	Set RemFile = FSO.CreateTextFile(RemFileName, True)
End If
If strList <> "" Then
		'************ write timestamp and list of removed users to a log file *************
	RemFile.Write(Cstr(Now) + vbNewLine)
	RemFile.Write(strList)
	RemFile.WriteBlankLines(1)
End If
		'************ Cleanup ************ 
RemFile.Close
Set RLFile = Nothing
Set GroupObj = Nothing
Set RemFile = Nothing
Set FSO = Nothing
Set WSHShell = Nothing

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.