RE: security policy 'not specified' option
From: Derick Anderson (danderson_at_vikus.com)
Date: 10/27/05
- Previous message: Laura A. Robinson: "RE: security policy 'not specified' option"
- Maybe in reply to: matthew patton: "security policy 'not specified' option"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Oct 2005 09:32:11 -0400 To: <larobins@bellatlantic.net>, "matthew patton" <pattonme@yahoo.com>, <focus-ms@securityfocus.com>
[ convoluted GP parsing stuff snipped...]
> I know this all sounds really convoluted, and trust me, it's
> a lot easier if it's drawn on a whiteboard, but this is
> essentially how group policies are processed. There are
> nuances I didn't touch on such as permissions to read and
> apply group policy, but this has already gone on long enough. :-)
So technically there's the possibility that privileges may change during
the time between logon and whenever XP finishes processing the Group
Policy/Security Policy/Wallpaper Policy? Can I ctrl-alt-del and kill
whatever process is still parsing the policies?
Is loopback processing on by default?
> Last- RSoP (which is represented in a somewhat cleaner way as
> "Group Policy Results" and "Group Policy Planning" in GPMC)
> has NOTHING to do with how group policy is processed. All
> RSoP does is simulate the processing of group policy and show
> you what the end results either *are* based on what happened
> when user x in location y logged onto computer a in location
> b (resultant mode in RSoP or "Group Policy Results" in GPMC)
> or what they *would be* if you put user x in location y and
> they logged onto computer a in location b (planning mode in
> RSoP or "Group Policy Planning" in GPMC). RSoP does not
> change how group policy is actually processed regardless of
> whether you use it in planning mode or reporting mode.
> RSoP/GPMC planning/results are merely tools to allow an
> administrator to build scenarios (planning) or to
> troubleshoot where specific settings came from "results".
I wasn't implying that RSoP had anything to do with processing although
looking again I can see why you'd come to that conclusion. I only meant
that whatever the RSoP _happens to be_ gets applied, not that you can
change it _using_ RSoP.
> Laura
>
> P.S. I was asleep until just before I wrote this, so please
> forgive any typos or lack of clarity. :-)
I'm never really awake until 11am no matter when I get up.
Derick
> > -----Original Message-----
> > From: Derick Anderson [mailto:danderson@vikus.com]
> > Sent: Friday, October 21, 2005 7:58 AM
> > To: matthew patton; focus-ms@securityfocus.com
> > Subject: RE: security policy 'not specified' option
> >
> >
> >
> > > -----Original Message-----
> > > From: matthew patton [mailto:pattonme@yahoo.com]
> > > Sent: Thursday, October 20, 2005 4:57 PM
> > > To: focus-ms@securityfocus.com
> > > Subject: security policy 'not specified' option
> > >
> > > Some time back I used a security policy editor that had 3 options:
> > > enabled, disabled, and 'unset'. By not setting it either way, the
> > > machine inherited the domain settings. Unfortunately the standard
> > > system policy editors shipped with 2K/2K3/XP don't appear
> > to have that
> > > 3rd option which means now I've got all kinds of machine
> > running with
> > > who knows what setting and ignoring the domain policy. And
> > once you've
> > > selected en/disabled via the radio box, there isn't a way
> > to unset it.
> > > How do I dig myself out of this?
> > >
> > > I probably can play Registry Magic and accomplish what I
> need but I
> > > could have sworn I had a tool that would let me do what I
> > used to be
> > > able to do.
> > >
> > > any ideas?
> > >
> >
> > I use Microsoft's Group Policy Management Console (GPMC) so I can't
> > verify my recollection on the standard Windows 2003 Group Policy
> > editor, but as I recall, there are usually three
> > options: "enabled", "disabled", and "not defined". When you choose
> > "not defined", the local security policy looks up the Group Policy
> > chain by default (you can change it) in the following order:
> >
> > 1. Enforced Policies from top-level down 2. Local OU GPOs 3.
> > Parent OU GPOs from the bottom-level up 4. Microsoft defaults
> >
> > By default, the Resultant Set of Policy (RSoP) for the domain is
> > applied to the local computer. I don't know if you can turn
> this off
> > (and why?) but by default it works. I would advise getting
> the GPMC as
> > it makes the whole Group Policy process easier to understand and
> > implement.
> >
> > http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4
> > c24-8cbd-4
> > b35-9272-dd3cbfc81887&DisplayLang=en
> >
> > If you think that the machines aren't getting the group policy (and
> > they are Windows XP/2003-based) you can run gpupdate /force
> to apply
> > the domain group policy and then check the event log to see
> if there
> > were any errors. Also you should run netdiag and dcdiag on
> your domain
> > controllers to make sure things are working happily.
> >
> > As a test, set the Computer Configuration -> Windows Settings
> > -> Security Settings -> Local Policies/Security Options ->
> Interactive
> > Logon: "Message text for users attempting to log on" to
> something and
> > then see if your domain computers start displaying the message.
> >
> > Derick Anderson
> >
> > --------------------------------------------------------------
> > -------------
> > --------------------------------------------------------------
> > -------------
> >
>
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Laura A. Robinson: "RE: security policy 'not specified' option"
- Maybe in reply to: matthew patton: "security policy 'not specified' option"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
