Restricting Local Administrators using ZENworks Configuration Management

0 Likes
over 11 years ago
With ZENworks Configuration Management scripting actions you can specify a vbs, python, perl or bat script to be dynamically created and run. Using this feature you can leverage scripts from any systems management community and leverage ZENworks Configuration Management as the delivery and enforcement method.

To configure a script bundle (see documentation for more details) Simply configure a directive bundle with a run script action in the Launch section. In order for the script to run a scripting engine needs to be defined, for this bundle I have chosen the windows scripting host wscript.exe, however any scripting engine can be used. In addition scripts can be either defined on the workstation, uploaded from the administration workstation or created from withing the ZENworks Control Center, for this bundle I have chosen to create the script in ZCC (see pic below).

runscript_0.jpg

Within the Script Content section enter the following script. After creating the script bundle associate it to launch on refresh, this will consistently enforce that the local administrators only have accounts specified in the Permited Administrators List Array (see below)

'** Define Variables
Dim PermittedAdmins' As Array

'** Define Permited Administrators List
PermittedAdmins = Array("Administrator", "tempadmin", "Domain Admins") '<--- Add to this Array any additional permited admins

'** Get Local Administrator Group
Set AdminGroup = GetObject("WinNT://./Administrators, Group")

'** Search for Invalid Members & Remove Them
For Each GroupMember in AdminGroup.Members

Debug.WriteLine GroupMember.Name, GroupMember.Class, IsPermitedAdmin(GroupMember.Name)

If Not IsPermitedAdmin(GroupMember.Name) Then
AdminGroup.Remove GroupMember.ADsPath
End If
Next

'** Functions *****************************************************************
Function IsPermitedAdmin(MemberName)' As Boolean
Dim i' As Long

For i = LBound(PermittedAdmins) To UBound(PermittedAdmins)
If UCase(MemberName) = UCase(PermittedAdmins(i)) Then
IsPermitedAdmin = True
Exit Function
End If
Next

IsPermitedAdmin = False
End Function



I have included the bundle in an exported xml format. To import this bundle simply copy the xml file to the server and run the import command (ex. zman bc "Restrict Local Admin" restrictlocaladmin.xml /Buncles/Security)

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended