Re: ftp non-anonymous help - logon locally overriden by effective policy setting at domain level
From: x y (jamescagney90210@excite.com)
Date: 05/16/02
- Next message: ObiWan: "Re: Implementing SOCKS with MSProxy 2"
- Previous message: stephen: "401.3 Unauthorized: Logon Failed"
- In reply to: Jeff Briar-Hill: "ftp non-anonymous help - logon locally overriden by effective policy setting at domain level"
- Next in thread: Jeff Briar-Hill: "Re: ftp non-anonymous help - logon locally overriden by effective policy setting at domain level"
- Reply: Jeff Briar-Hill: "Re: ftp non-anonymous help - logon locally overriden by effective policy setting at domain level"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "x y" <jamescagney90210@excite.com> Date: Thu, 16 May 2002 00:15:33 -0400
Local policy cannot take precedence over a group policy. I believe you can
save and import the local policy from that machine and make it the group
policy for the web server either by putting the web server into its own OU
or by changing the permissions on the template so that only the web server
has permissions to read the web server policy. I believe you could also
change the permissions on the relevant domain policies so that the web
server does not have permissions to read the default domain policy... then
the local policy would stay in effect. Permissions on the domain group
policies are done in the Active Directory Users and Computers MMC by
right-clicking the relevant OU.
OR, you can consider unjoining your web server from the domain, which is not
a bad idea security-wise unless you have specific authentication needs that
make this difficult.
"Jeff Briar-Hill" <jeff_briarhill_2000@yahoo.com> wrote in message
news:6d77bc9.0205151937.3fbcc683@posting.google.com...
> config: i have a two server configuration for a secure website using
> iis5 on one and ad on the other server.
>
> i would like to create an ftp site that is as secure as possible. to
> accomplish this i created a local account on the webserver per this
> instruction:
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/iis/maintain/optimize/custom.asp
>
> "To simplify administration of Windows 2000 accounts used for FTP
> access,_our company created a local Windows 2000 group called FTP
> Admins. We then granted this group the right to log on locally. As we
> create new Windows 2000 accounts for nonanonymous FTP access, we add
> each user account to this group. They now have appropriate rights, and
> we can track all the FTP accounts as a single administrative entity. "
>
> problem: the domain security policy overrides the local web server
> policy for log-on locally. i have tried new group policy settings for
> the domain that don't override or define the logon locally policy,
> defining it locally and secedit /refreshpolicy... etc. all with no
> luck. does anyone know how to allow a local policy to override the
> effective setting from a domain controller?
>
> help appreciated,
>
> jeff
- Next message: ObiWan: "Re: Implementing SOCKS with MSProxy 2"
- Previous message: stephen: "401.3 Unauthorized: Logon Failed"
- In reply to: Jeff Briar-Hill: "ftp non-anonymous help - logon locally overriden by effective policy setting at domain level"
- Next in thread: Jeff Briar-Hill: "Re: ftp non-anonymous help - logon locally overriden by effective policy setting at domain level"
- Reply: Jeff Briar-Hill: "Re: ftp non-anonymous help - logon locally overriden by effective policy setting at domain level"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
