Re: Securing with Group Policy

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/06/05 

Date: Wed, 5 Jan 2005 22:09:47 -0600

First thing is to make sure that the user is under the scope on influence of
the Group Policy. In other words if you create an OU with a GPO with user
configuration, the user accounts must reside in that OU or possibly a child
OU. Use the support tool gpresult to see what Group Policies for user
configuration are being applied to a user and the last time the policy was
applied. You can use the /v switch for more detailed info. If you have an XP
computer in the domain you can install the Group Policy management Console
on it which makes checking Group Policy configuration much easier and the
Resultant Set of Policy is a godsend. You would have to logon to the XP
computer as a domain admin [or use domain admin credentials ] so be sure to
do that only on a known secure workstation [keyboard loggers, etc]. If
domain is misconfigured for dns you will also have Group Policy problems and
the netdiag support tool can help track that down. The links below may
help. --- Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx --- GPMC free
download.
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- Must
use procedures for AD dns.

"Darren Hackler" <anonymous@discussions.microsoft.com> wrote in message
news:03c401c4f331$add10400$a401280a@phx.gbl...
>I have my GP set to disable downloads from IE for the
> general internet users. It works great. I have another
> that allows members of a certain group download rights. It
> doesn't work. When I view the policy, everything appears
> to be OK. I have had to open the Security tab for those
> users and let them set download rights themselves.
> Obviously not the best way of doing it. I set the
> downloads under Windows Settings/IE Maint/Security
> Zones/Internet: Custom. Is this the wrong place to set it?

Relevant Pages

  • Re: I need Ideas on securing a remote Win2k machine
    ... > * You can set security filtering on a group policy object. ... > * You can set a policy to run an application at logon (your kiosk app, ... Create a new Organizational Unit for the kiosk computers and move ... suggests that I need to get the domain admin to do a lot of this. ...
    (microsoft.public.win2000.security)
  • RE: SCW --> GPO
    ... we need the rights of Domain Admin or Group Policy Creator Owner ... check app event log & system event log to see if there is any GPO related ... Command completed with error. ...
    (microsoft.public.windows.group_policy)
  • Re: Security Breach in AD! Help!
    ... For example suppose an attacker knew that a domain admin used a particular ... compromise it he could put a simple script such as a logon script or logoff ... > I found the solution to the group policy refresh interval thing...sort of. ...
    (microsoft.public.win2000.security)
  • Re: Security Filtering does not work correctly in GPO
    ... Deny apply only. ... where the domain admin was logged on. ... the settings in the "User Group Policy" were gone. ... "Scope-Setting" in the Group Policy object. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Not able to edit Group Policy Objects,
    ... Uninstalling Director will fix the problem, installing it bound only to the ... > Make sure the client has "read" permissions so that the group policy can ... use a domain admin or ...
    (microsoft.public.windows.server.active_directory)
Quantcast