Re: How do I get Restricted Groups to be real time?
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 02/09/05
- Previous message: Shannon Jacobs: "Re: How to fix broken security in Windows 2000?"
- In reply to: Todd: "How do I get Restricted Groups to be real time?"
- Next in thread: Todd: "Re: How do I get Restricted Groups to be real time?"
- Reply: Todd: "Re: How do I get Restricted Groups to be real time?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 8 Feb 2005 21:02:17 -0700
It is the Computer policy refresh that applies the Restricted group defs.
If all of your DCs are, as I assume from what was said of environment
in other thread, are local at one location, setting the domain refresh
interval down to some amount lower than the predefined 5 minutes
would probably not hurt while you are fighting this way (but I assume
that you have not many GPOs that apply to Domain and/or Domain
Controllers). I have never heard of setting refresh to 0 so am not sure
how that gets interpreted. At best try a lower positive number and
keep an eye on the work caused (probably barely noticable for all
LAN local DCs situation).
Are you monitoring all inbound and outbound traffic (that is, all that
passes to from the outside world) ? and not just to the DCs by the
way as any domain member would make an effective point from
which to manipulate AD definitions like user objects, group members.
Is this forest a single domain ?
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Todd" <Todd@discussions.microsoft.com> wrote in message news:4AEED882-8244-4C22-9D1A-EC4879A0EFF0@microsoft.com... > I have a question regarding Restricted Groups... > > I am trying to make the changes that I've set for Restricted Groups to be as > close to real time as possible. We had another user created today and the > user was added to the built in administrators group by a ghost admin...refer > to an alternate post for the whole story if you're interested...titled > "Security Breach in AD" from 02/07/05 > > Anyway...In about 5 minutes the user was removed from the built in admin > group as I have configured with Restricted Groups. Trying to make it real > time security, I have changed the default domain policy, the default domain > controller policy, and the local machine policy all to reflect the following > changes trying to make this a real time restriction: > I have enabled the... refresh interval for computers to 0, refresh interval > for domain controllers to 0 for the computer group policies > as well as the refresh interval for users to 0 for the user group policies. > I obviously do not know what I am doing since I don't know what Group policy > to apply and on what interface to get my desired results. > > Please help! > > thanks > > Todd >
- Previous message: Shannon Jacobs: "Re: How to fix broken security in Windows 2000?"
- In reply to: Todd: "How do I get Restricted Groups to be real time?"
- Next in thread: Todd: "Re: How do I get Restricted Groups to be real time?"
- Reply: Todd: "Re: How do I get Restricted Groups to be real time?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
