Re: Applying Custom Security Templates with GPOs

From: cswarr (anonymous_at_discussions.microsoft.com)
Date: 01/27/04


Date: Tue, 27 Jan 2004 12:43:37 -0800

The template (and, therefore, policy) is not being
applied. I ran Sec Config and Analysis and the computer
settings don't match the Database settings. I'm guessing
it's some GP application problem. I enforced the policy
yesterday, rebooted one of the machines that should have
the policy applied to it, and executed
secedit /refreshpolicy machine_policy, but no luck. The
OU that these machines are in is blocking inheritance, but
I applied the GPO with the template on the OU itself and
enforced it. I also made sure it has higher precedence
and that the computer objects have the proper security
privliges to apply the GPO (read and Apply GP). Not sure
what else to do....

>-----Original Message-----
>Verify that the import worked by checking the actual
settings by using
>"edit" or looking at the "settings" for the GPO using
GPMC. Make sure the
>servers reside in a container within the scope on
influence of the GPO - for
>example if this GPO was configured for an Organizational
Unit, then the
>servers need to reside in that OU or possibly a sub OU.
Verify that the new
>GPO is linked to the new container and that computer
policy is enabled for
>it. Other than that it can take some time. Running
secedit /refreshpolicy
>machine_policy enforce on the domain controller where you
created the GPO
>and then doing the same on the servers or rebooting them
can speed up
>propagation. I would only use secedit or reboot one
server until I was sure
>that policy was propagating and it is not some other
problem. Of course dns
>has to be configured correctly on all domain member
computers in that they
>point only to AD domain controllers as their preferred
dns servers. --
>Steve
>
>http://support.microsoft.com/default.aspx?
scid=kb;KO;227302
>
>"cswarr" <anonymous@discussions.microsoft.com> wrote in
message
>news:4da801c3e450$9e12e1a0$a601280a@phx.gbl...
>> I am trying to apply a custom security template to a
group
>> of servers. I have created the template and imported it
>> into a new GPO. The settings in the template don't seem
>> to be filtering down to the servers. I even turned on
the
>> No Override (or Enforce in GPMC) to try to force the
>> policy with the template down. My environment is all
>> Win2k Servers. Any ideas?
>
>
>.
>



Relevant Pages

  • Re: Security templates and IUSR account log on locally
    ... the Enterprise security template for Member Servers breaks IIS6 anon ... the guideline is to apply the member servers baseline policy and then the ... web servers policy. ... You may also want to revisit the download for the W2k3 Security Guide as ...
    (microsoft.public.inetserver.iis.security)
  • Re: Security templates and IUSR account log on locally
    ... the Enterprise security template for Member Servers breaks IIS6 anon ... the guideline is to apply the member servers baseline policy and then the ... web servers policy. ... You may also want to revisit the download for the W2k3 Security Guide as ...
    (microsoft.public.inetserver.iis.security)
  • Re: Loopback Policy Not Taking Effect
    ... Have you rebooted your servers yet? ... Terminal Servers in the OU ... loopback GPO to the "Terminal Servers" OU but to the OU that holds my TS ... ad TS Lockdown Policy and assigned them mostly Computer ...
    (microsoft.public.windows.terminal_services)
  • Re: Security templates and IUSR account log on locally
    ... The Microsoft security guide for IIS6.0 says that the IUSR account ... The Microsoft group policy Enterprise security template for Member ... The Member Server template is a baseline for all servers. ...
    (microsoft.public.inetserver.iis.security)
  • Re: security template file import
    ... one of the more "well documented" features of the GPO based security policy. ... modify the security template - ...
    (microsoft.public.win2000.security)