Re: Exchange OWA 2003 Trusted Root Certificate

From: Smurfman (Smurfman_at_discussions.microsoft.com)
Date: 02/15/05 

Date: Tue, 15 Feb 2005 12:01:07 -0800

Okay, so that kind of leads me back to my original issue, I have created a
Domain level GPO called Mail, in order to test this. The GPO has defined in
it, the Trusted Root Certificate that I want specific machines to have
installed on it. I removed the Authenticated Users from the Security of the
GPO, and added my Test user for the User portion of the policy, and I have
added a specific computer by browsing to it. For both I have selected the
options to Apply and Read the GPO.

According to what I have read, when the machine reboots, or at the poling
intervul of 90 minutes I think it was, the computer should pick up and apply
the policy. I think I am seeing it work during a reboot, but not the poling.
 I just tested this. Now, this brings me back to one of my original
questions too, asside from having to add each computer as an object to the
Security to Apply, can I add the machines to the same User Group and then
Apply (Filter) the security on that Group. In this situation this solution
seems to be the fastest since I would not have to apply a GPO to each OU that
the computers were a part of.

On the second method - just to clarify, if I already have my computers
assigned to each OU for their respective locations, I would just have to
apply my GPO with the Authenticated Users in the Security by default, to
enforce the Computer Config on the machines in that OU? Is this also correct.

Thanks for the patient responses.

"Steven L Umbach" wrote:

> You have two options. Either put all the computers in an OU, which could be
> a child OU of an existing OU so that all parent OU computer configuration
> settings still can apply to computers in the child OU unless the child OU
> has same defined settings which will override same defined settings at
> parent level, or filter a Group Policy that would apply to computers so that
> the "apply" permission has only the global groups that contain computers
> that you want the Group Policy computer configuration to apply to. Ether way
> the computers must be within the scope of influence of the Group Policy. The
> link below may help if you have not seen it yet. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;322176
>
> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> news:72BDC33D-EDFB-4BBE-A814-4BD1595958C1@microsoft.com...
> > So Steve - back to my original question, since my model is small, it is my
> > understanding that I can "filter" a particular GPO from the Domain Level
> > to
> > apply only to specific user groups that I have created. (I base that
> > statement on Chapter 4 - How Group Policy Works in the Windows 2000 Server
> > doc, on the Technet CD.)
> >
> > "Administrators can overcome this problem by organizing users and
> > computers
> > into security groups, and then using these groups to filter the impact of
> > Group Policy.
> >
> > The IT department can create groups based on the tasks that their users
> > perform, the degree of authority users have to modify their own or other
> > computers, and the configurations that users need to have. For example,
> > the
> > IT department could accomplish their goal by creating a security group
> > just
> > for vice presidents. This can greatly simplify the process of
> > administering
> > users with disparate configuration and permission requirements. Therefore,
> > in
> > Figure 4.4, the vice presidents' security group might prevent the domain
> > level GPO (GPO 2) from applying to vice presidents in the Headquarters and
> > Marketing OUs. "
> >
> > Based on that, if were to create a domain GPO, and filter based 3 specific
> > groups to apply, and if in those groups I assigned the computers that were
> > part of each group...would the Computer Configuration be pushed to the
> > machines, based on the imported Root Certificate?
> >
> > Thanks
> > J
> >
> >
> >
> > "Steven L Umbach" wrote:
> >
> >> It is computer configuration which means that the policy is non user
> >> specific and will apply to all users that logon to that computer. You can
> >> not filter computer configuration policy be user but you could for
> >> specific
> >> computers or a global group that computers are a member of. I can't think
> >> of
> >> a work around offhand to have it work for specific users. --- Steve
> >>
> >>
> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> news:22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com...
> >> > Thanks, so barring adding each computer to the policy where I think a
> >> > user
> >> > might log into, would this work: Adding the Computers to the Groups in
> >> > which
> >> > the policy is applied to. So that an OU called "Shipping Department"
> >> > has
> >> > a
> >> > group assigned to it called "Shipping". Members of the Shipping group
> >> > are
> >> > user1 and user2. A policy is created with Permissions to apply a
> >> > Trusted
> >> > Root Certificate to the Shipping Group, which would install the
> >> > certificate I
> >> > want but only for those particular users. Am I correct in saying that
> >> > I
> >> > should just add the computers that are physically located in the
> >> > Shipping
> >> > Department to the group Shipping, so that all Computer Policies are
> >> > applied
> >> > to the machine?
> >> >
> >> > I kind of thought that the computer policies would apply to the
> >> > computer
> >> > that a particular user logged into, not the a specific computer? Can
> >> > we
> >> > verify this? That link that I included for accomplishing these steps,
> >> > said
> >> > nothing about adding specific users, in fact it was a Default Domain
> >> > Policy?
> >> >
> >> > Thanks
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> That policy is "computer configuration". You will have to have that
> >> >> policy
> >> >> apply to a computer that the user logs onto. For instance if you
> >> >> configured
> >> >> that Group Policy at the OU level, the computer account will need to
> >> >> be
> >> >> in
> >> >> that OU. --- Steve
> >> >>
> >> >>
> >> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> >> news:2B70371B-B70B-43AE-86B5-0DCBEFF34E85@microsoft.com...
> >> >> >I am looking to attach a certificate to a GPO, under the Trusted Root
> >> >> > Certificates so that specific users on the network who access the
> >> >> > Secure
> >> >> > (https) Outlook Web Agent 2003, will already have the certifiacte
> >> >> > installed,
> >> >> > and not have to answer yes to a certificate question each time the
> >> >> > browser
> >> >> > access the website on the exchange server.
> >> >> >
> >> >> > My attempt has been this, accessed the server and installed the
> >> >> > certificate,
> >> >> > then I exported the certificate as p7b...I then could mannually go
> >> >> > to
> >> >> > other
> >> >> > machines and import the certificate, but do not want to do that over
> >> >> > the
> >> >> > enterprise.
> >> >> >
> >> >> > I created a GPO based on this link:
> >> >> > "http://www.microsoft.com/windows2000/techinfo/planning/security/catruststeps.asp#heading2"
> >> >> > I applied the policy only to my test user that I created, yet the
> >> >> > certificate is never installed as I would have expected it. I
> >> >> > suspect
> >> >> > that I
> >> >> > have missed something, but can't put my finger on it.
> >> >> >
> >> >> > Any ideas?
> >> >> > J
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

Relevant Pages

  • RE: Network and information security question
    ... All the computers have to be Pro. ... detaching the home versions from the network and making them work outside the ... configurations you can use group policy to manage the employee computers, ... tighten security. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Group policy issue
    ... unfortunately they are people, not computers. ... you will see on unapplied GPO list, but is applied on computers and you ... MCSA Windows 2003 server ... Applied Group Policy Objects ...
    (microsoft.public.windows.server.networking)
  • Re: Help with Security Filtering
    ... Security Tab for the GPO itself. ... Is there a way to see the ACL in the GPO that they are being applied to ... the computers, besides just noticing the changes live. ... Filtering" tab with 7 of the Security Groups listed, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Installing Service Packs
    ... NTFS permissions and - in this particular case - Domain Computers Read on ... account objects that need to have SP4 installed into this OU. ... an OU to which a GPO that installs software is linked, ... So, right click the OU, select Properties and go to the Group Policy tab. ...
    (microsoft.public.win2000.group_policy)
  • Re: Block Group Policy Settings Based on Group Membership
    ... Perhaps the issue here is that this security filtering means that, ... users and computers who are targeted by a GPO, ... Let's say I have a GPO linked to the ...
    (microsoft.public.win2000.group_policy)
Quantcast