I am looking to write a compliance rule that can add an Active Directory group in local group on a machine. For example adding our IT security group into the local Administrators group on select machines.
Any help with this would be greatly appreciated.
DK
The name refers to the name of the group, so the first line is correct, but you need to change the second one to Member which refers to the members of the group. It would look like this, "Member LIKE %Server Ops%". I'm guessing Server Ops is an AD security group, so you could also do "Members = DOMAIN\Server Ops". Usually best to select by hitting the 3 dots and choosing from the available groups to ensure you don't typo and you've selected the correct attribute.
I am not sure if I understand your requirement. Compliance rules are created for assessment of a state of machine and not for enforcements such as making AD group to be part of local Administrators group.
You should probably look into VCM 'Console' slider and then navigate to Windows | Security | Local Groups and edit the groups to reflect what you want.
You can also create a compliance rule on Local Group data class to check if a particular member is part of a group.
Please let me know if I understood your requirement correctly.
A large compliance area for us is to make sure certain groups are or are not in the local Administrators group on servers. I am really hoping to stick to a compliance rule to check if a certain user or group is within the local admins group.
Can you explain the Local Group data class area?
Thanks so much
The Groups Members data class is not enforceable, so the only thing you can do currently is check membership with a compliance rule.
To check presence or absence of a member in a group, use the Groups Members data class, and create a conditional rule with the group Name and the Member name in the top part of the rule (ANDed together), and Must Exist or Must Not Exist for the existence check, as appropriate. Leave the bottom part blank.
Thanks for the reply, but wouldnt that just check to see if both the group and the member are present or not, and not if the certain member was in the group?
Nope. This is the way it works. If it were a Basic rule, then you would be correct, but then you couldn't specify Must Exist or Must Not Exist.
This was a huge help to me, Thanks. Really wish the compliance rules allowed you to mix Data Types. Being able to disable any local account that didn't follow a correct format would be huge.
So I created the rule like so.. Again I am needing for the 'Server Ops' security group to be located in the local administrators group. I've tried the rule and it continues to fail. I also tried 'Member' = 'Built-in/Administrators' and it still seems to fail. Am I missing something?
The name refers to the name of the group, so the first line is correct, but you need to change the second one to Member which refers to the members of the group. It would look like this, "Member LIKE %Server Ops%". I'm guessing Server Ops is an AD security group, so you could also do "Members = DOMAIN\Server Ops". Usually best to select by hitting the 3 dots and choosing from the available groups to ensure you don't typo and you've selected the correct attribute.
So what finally worked was NAME = 'Administrators' and MEMBER = 'DOMAIN\Server ops'. Works perfectly!
Thanks so much for your help!