Re: Group Policy - Defining Security Policies Using Variables?
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 10/28/04
- Next message: Roger Abell: "Re: xcacls Problem"
- Previous message: Roger Abell: "Re: DHCP ENCRYPTED TO DOMAIN MEMBERS"
- In reply to: Jason Cook: "Group Policy - Defining Security Policies Using Variables?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Oct 2004 08:13:11 -0700
Unextended GP does not have ability to use a meta-like level
in the policy settings. Some things however, if set in GPO at
the OU level can be used to name accounts that only exist at the
local machine level if you do this with care and the account
or group to be named is a well-known, predefined in Windows.
Otherwise, look at use of a startup script defined in GPO that,
in your case, invokes such as NTrights tool from the reskit.
Also, there are third-party products that extend the GP mechanics
so they can accommodate meta-info that is expanded on the target
client in client specific fashion.
-- Roger Abell "Jason Cook" <JasonCook@discussions.microsoft.com> wrote in message news:BED93E2B-782A-4AB8-AF8C-7100CDAD926D@microsoft.com... > Problem: > When setting up a new GPO, is there a method for using variables such as > %computername%\LocalServiceAccount when defining security permissions such as > "Deny log on locally" > > Background: > I'm monitoring hundreds of local server accounts with common names and > adminstrative access. These accounts run services and applications but do > not need console access. I need to find an effective method for setting the > permission "Deny Logon Locally."
- Next message: Roger Abell: "Re: xcacls Problem"
- Previous message: Roger Abell: "Re: DHCP ENCRYPTED TO DOMAIN MEMBERS"
- In reply to: Jason Cook: "Group Policy - Defining Security Policies Using Variables?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
