我已将受限组添加到我的桌面 OU,这会将“本地管理员”安全组添加到该 OU 中工作站上的本地管理员组。问题是,应用此 GPO 后,普通用户帐户可以通过 RDP“进入域控制器”我已确认这是有问题的 GPO,并且此 GPO 中没有其他设置;它的唯一目的是应用一个受限组。
该组确实已应用于工作站,并且除了这个问题外,工作正常。即使在 DC 上运行 gpresult /z 也不会在任何地方提及该 GPO,但在工作站上却会提及。
“桌面”OU 包含“本地管理员”GPO。域控制器位于“域控制器”OU 中。
工作站的“gpresult /scope computer /r”:
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
c 2016 Microsoft Corporation. All rights reserved.
Created on 04/30/2016 at 1:29:28 PM
RSOP data for DOMAIN\John.Doe on WORKSTATION : Logging Mode
-----------------------------------------------------------------
OS Configuration: Member Workstation
OS Version: 10.0.10586
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\John.Doe
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=WORKSTATION,OU=Mobile-Devices,DC=DOMAIN,DC=info
Last time Group Policy was applied: 04/30/2016 at 12:07:55 PM
Group Policy was applied from: DOMAINCONTROLLER.DOMAIN.info
Group Policy slow link threshold: 500 kbps
Domain Name: DOMAIN
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
Computer GPO
Local Admin GPO
Remote Management
PSTools
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
WORKSTATION$
Domain Computers
Authentication authority asserted identity
System Mandatory Level
DC 的“gpresult /scope computer /r”:
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
c 2012 Microsoft Corporation. All rights reserved.
Created on 4/30/2016 at 1:22:52 PM
RSOP data for DOMAIN\John.Doe on DOMAINCONTROLLER : Logging Mode
----------------------------------------------------------------
OS Configuration: Primary Domain Controller
OS Version: 6.2.9200
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\John.Doe
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=DOMAINCONTROLLER,OU=Domain Controllers,DC=DOMAIN,DC=info
Last time Group Policy was applied: 4/30/2016 at 1:20:57 PM
Group Policy was applied from: DOMAINCONTROLLER.DOMAIN.info
Group Policy slow link threshold: 500 kbps
Domain Name: DOMAIN
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
Default Domain Controllers Policy
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
Certificate Service DCOM Access
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
DOMAINCONTROLLER$
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Authentication authority asserted identity
Denied RODC Password Replication Group
RAS and IAS Servers
Cert Publishers
System Mandatory Level
答案1
在您的受限组设置中显示,本地管理员组是“管理员”组的成员,该组是域组。如果您希望他们成为本地管理员组的成员,则需要将“此组成员”设置配置为“BUILTIN\Administrators”
答案2
@Sentator14 走在正确的轨道上,但还没有完全到达。
你的问题是,没有这样的东西当地的域控制器上的管理员组。当 DC 升级时,本地 SAM 数据库消失,AD 成为用户和组的唯一来源。因此,通过配置组策略将组添加到AdministratorsDC 上的组,您实际上是将其添加到域组称为Administrators。它与实际的团体不同Domain Admins,但正如您所发现的,它仍然至关重要,并且具有相当高的特权。
您需要将 GPO 配置为不适用于 DC,方法是更改继承方式或使用 WMI 过滤之类的方法。