Re: Security config and analysis on AD DC

From: Bob Williamson (Bwilliamson_at_Eisenhowerlaw.com)
Date: 06/25/03 

Date: Wed, 25 Jun 2003 08:24:41 -0700

So what you are stating is the Security and analysis tool WILL NOT make
changes at the AD level, but rather at the local level of the DC. That is
where it gets a bit confusing as a DC does not really have a "local level"
right? I guess a more appropriate statement would be that it does not have
local accounts and thus my confusion....

So, to review, The only way to mess with the DCs is to configure the GPO at
the OU level on a piece by piece basis. I was kind of hoping I could use
some of these templates to affect my OU.

OR

You are stating I should be able to import the inf files into a GPO? I will
take a look at that....

Thanks,
Bob

PS.....How are folks documenting their GPOs anyway? I have found a
spread*** with all of the settings on it, but there must be an easier
way.....

"Steven L Umbach" <n9rou@attbi.com> wrote in message
news:u38Ka.12325$Ab2.28880@sccrnsc01...
> You can export your security settings [ machine or effective] into
a
> .inf template that you can use as sort of a backup. That option will
appear
> if you right click security settings. Keep in mind that any security
> settings that are defined at the domain or particularly the domain
> controller OU level, will override any local security settings. You may
want
> to consider not changing Local Security Policy on a domain controller, but
> instead create a new group policy for the domain controller OU and make
your
> changes to that new GPO. Put the new GPO above the Default Domain
Controller
> Policy so that it will take precedence. You can do individual changes to
the
> new GPO security settings or import a template. Then if you have problems,
> you can just delete or unlink the new GPO and your previous settings will
be
> back in a short period of time. You can of course still use Security
> Configuration and Analysis tool to view what your security settings are
> compared to a particular template. Beware that implementing the
> hisecuredc.inf template can cause a lot of issues, especially if there are
> downlevel NT4.0, W9X, and even XP computers in the domain. I highly
> recommend reading the free and recent Windows 2000 Security Hardening
Guide
> [search Google - link is long] before doing any changes. it includes
> specific recommendations on security settings for various domain
> environments and security goals. --- Steve
>
> "Bob Williamson" <Bwilliamson@Eisenhowerlaw.com> wrote in message
> news:eJbChxqODHA.3700@tk2msftngp13.phx.gbl...
> > I am preparing to use the Security config and analysis tool on my
network
> > and am concerned of messing things up......thus the following:
> >
> > 1. Is there a way to "backup" my current configuration in case things
go
> > south on me? I would hate to apply the templates to find out I really
> > messed things up. I understand that there is a "Setup Security"
template,
> > but that does not fit my current config...obviously I am missing
something
> > here as it can not be this hard.
> >
> > 2. When applying the template to a DC will these changes affect the
> changes
> > that I have already made in my GPO? I believe it will.....
> >
> > Any other suggestion or tips would be appreciated,
> > Bob
> >
> >
>
>

Loading