RE: group policy question
From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 10/21/03
- Previous message: Aaron The Young: "Terminal Services Manager as a non-admin user."
- In reply to: David Y. Ng: "Re: group policy question"
- Next in thread: Sean Warnock: "RE: group policy question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'David Y. Ng'" <dng@cmhsweb.org>, "'Jannie Hanekom'" <j_hanekom@hotmail.com>, <focus-ms@securityfocus.com> Date: Tue, 21 Oct 2003 09:43:56 -0400
The responses given regarding using group policy filtering are correct for
Windows 2000, whether or not you use loopback processing. Are the computers
in question all in the same OU? If so, link a policy to that OU, remove
Authenticated Users from the ACL and add the group of people in question to
the ACL, granting them read and apply group policy permissions. Whether or
not you use loopback is entirely dependent on which settings you want to
implement.
For Windows Server 2003, this type of scenario is much simpler as you can
implement WMI filters on Group Policy, which would allow you to specify, for
example, that a policy only apply if the user is a member of x group and the
machine is y.
WRT Win2K3, not only have I been using Windows Server 2003 in production
environments since before it was released, but I'm working on a twenty
million dollar project right now that is entirely Win2K3 based, so I'd say
that you don't have to wait for a service pack before you touch 2003.
Last, WMI filtering only applies to XP and 2003 machines, so if you don't
have XP clients, even implementing 2003 AD wouldn't help you much for this
particular purpose.
:-)
Laura
> -----Original Message-----
> From: David Y. Ng [mailto:dng@cmhsweb.org]
> Sent: Monday, October 20, 2003 4:34 PM
> To: Jannie Hanekom; focus-ms@securityfocus.com
> Subject: Re: group policy question
>
>
> First, thanks to Jannie and all those who replied.
>
> >Now comes the tricky part - you will have to create a group of users
> >which should NOT receive the setting. Add this group to the ACL for
> >the GPO above, and set the tickbox to deny "Apply Group
> Policy". Since
> >deny takes precedence over allow, it is not possible to deny "Apply
> >Group Policy" to Authenticated Users, as this will override
> the setting
> >for the computer account as well, causing the computer to
> overlook the
> >policy during application and therefore not apply the
> Loopback portion
> >of it when a user logs on.
> >
> >
> The server that I would like to have those special GP for
> special users
> is a Terminal Server.
> The only people allowed to login to that TS belongs to a
> special group
> so Apply Group
> Policy on that special group should do the trick.
> (Authenticated users
> unchecked)
>
> But is there a quick way to do what you mentioned on that
> paragraph above? Something like an ALL users except .........
>
> Someone on the list also told me that Windows Server 2003 can
> do this more efficiently. I have Windows 2003 license but I
> opted to install the 2000
> version
> mainly because most new releases from MS has lots of bugs to
> begin with. I could be wrong with this release though.
>
>
>
> --------------------------------------------------------------
> -------------
> FREE Whitepaper: Better Management for Network Security
>
> Looking for a better way to manage your IP security?
> Learn how Solsoft can help you:
> - Ensure robust IP security through policy-based management
> - Make firewall, VPN, and NAT rules interoperable across
> heterogeneous networks
> - Quickly respond to network events from a central console
>
> Download our FREE whitepaper at:
> http://www.securityfocus.com/sponsor/Solsoft_f> ocus-ms_031015
>
>
> --------------------------------------------------------------
> -------------
>
---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
---------------------------------------------------------------------------
- Previous message: Aaron The Young: "Terminal Services Manager as a non-admin user."
- In reply to: David Y. Ng: "Re: group policy question"
- Next in thread: Sean Warnock: "RE: group policy question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
