Cool Solutions

Restricting Local Administrators using ZENworks Configuration Management


April 7, 2010 3:07 pm





With ZENworks Configuration Management scripting actions you can specify a vbs, python, perl or bat script to be dynamically created and run. Using this feature you can leverage scripts from any systems management community and leverage ZENworks Configuration Management as the delivery and enforcement method.

To configure a script bundle (see documentation for more details) Simply configure a directive bundle with a run script action in the Launch section. In order for the script to run a scripting engine needs to be defined, for this bundle I have chosen the windows scripting host wscript.exe, however any scripting engine can be used. In addition scripts can be either defined on the workstation, uploaded from the administration workstation or created from withing the ZENworks Control Center, for this bundle I have chosen to create the script in ZCC (see pic below).


Within the Script Content section enter the following script. After creating the script bundle associate it to launch on refresh, this will consistently enforce that the local administrators only have accounts specified in the Permited Administrators List Array (see below)

'** Define Variables
    Dim PermittedAdmins' As Array
'** Define Permited Administrators List
    PermittedAdmins = Array("Administrator", "tempadmin", "Domain Admins") '<--- Add to this Array any additional permited admins

'** Get Local Administrator Group
    Set AdminGroup = GetObject("WinNT://./Administrators, Group")

'** Search for Invalid Members & Remove Them
    For Each GroupMember in AdminGroup.Members
        Debug.WriteLine GroupMember.Name, GroupMember.Class, IsPermitedAdmin(GroupMember.Name)
        If Not IsPermitedAdmin(GroupMember.Name) Then
            AdminGroup.Remove GroupMember.ADsPath
        End If

'** Functions *****************************************************************
    Function IsPermitedAdmin(MemberName)' As Boolean
        Dim i' As Long
        For i = LBound(PermittedAdmins) To UBound(PermittedAdmins)
            If UCase(MemberName) = UCase(PermittedAdmins(i)) Then
                IsPermitedAdmin = True
                Exit Function
            End If
        IsPermitedAdmin = False
    End Function

I have included the bundle in an exported xml format. To import this bundle simply copy the xml file to the server and run the import command (ex. zman bc "Restrict Local Admin" restrictlocaladmin.xml /Buncles/Security)

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.

Categories: Technical, ZENworks


Disclaimer: This content is not supported by Micro Focus. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.