Novell Cool Solutions

Restricting Local Administrators using ZENworks Configuration Management



By:

April 7, 2010 3:07 pm

Reads:3,889

Comments:0

Score:5

Print/PDF

With ZENworks Configuration Management scripting actions you can specify a vbs, python, perl or bat script to be dynamically created and run. Using this feature you can leverage scripts from any systems management community and leverage ZENworks Configuration Management as the delivery and enforcement method.

To configure a script bundle (see documentation for more details) Simply configure a directive bundle with a run script action in the Launch section. In order for the script to run a scripting engine needs to be defined, for this bundle I have chosen the windows scripting host wscript.exe, however any scripting engine can be used. In addition scripts can be either defined on the workstation, uploaded from the administration workstation or created from withing the ZENworks Control Center, for this bundle I have chosen to create the script in ZCC (see pic below).

runscript_0.jpg

Within the Script Content section enter the following script. After creating the script bundle associate it to launch on refresh, this will consistently enforce that the local administrators only have accounts specified in the Permited Administrators List Array (see below)

'** Define Variables
    Dim PermittedAdmins' As Array
    
'** Define Permited Administrators List
    PermittedAdmins = Array("Administrator", "tempadmin", "Domain Admins") '<--- Add to this Array any additional permited admins
 
 '** Get Local Administrator Group
     Set AdminGroup = GetObject("WinNT://./Administrators, Group")
 
 '** Search for Invalid Members & Remove Them
     For Each GroupMember in AdminGroup.Members
     
         Debug.WriteLine GroupMember.Name, GroupMember.Class, IsPermitedAdmin(GroupMember.Name)
     
         If Not IsPermitedAdmin(GroupMember.Name) Then
             AdminGroup.Remove GroupMember.ADsPath
         End If
     Next
 
 '** Functions *****************************************************************
     Function IsPermitedAdmin(MemberName)' As Boolean
         Dim i' As Long
         
         For i = LBound(PermittedAdmins) To UBound(PermittedAdmins)
             If UCase(MemberName) = UCase(PermittedAdmins(i)) Then
                 IsPermitedAdmin = True
                 Exit Function
             End If
         Next
         
         IsPermitedAdmin = False
     End Function
 
 

I have included the bundle in an exported xml format. To import this bundle simply copy the xml file to the server and run the import command (ex. zman bc "Restrict Local Admin" restrictlocaladmin.xml /Buncles/Security)

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Tags:
Categories: Uncategorized

0

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

Comment

RSS