Re: Exchange OWA 2003 Trusted Root Certificate
From: Smurfman (Smurfman_at_discussions.microsoft.com)
Date: 02/15/05
- Next message: Daniel Hernandez: "Disabling TCP/IP Services on Windows 2000/ NT Servers"
- Previous message: Steven L Umbach: "Re: Exchange OWA 2003 Trusted Root Certificate"
- In reply to: Steven L Umbach: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Next in thread: Steven L Umbach: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Reply: Steven L Umbach: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Feb 2005 12:53:02 -0800
So for this example, create 2 Global Groups, perhaps one called Mail_Users
and the other Mail_Workstations. Then assign the users and computers to each
respective group, and use those two groups in the GPO Security settings to
Apply and then what - Assign the GPO to the Domain?. Am I following you
correctly?
Thanks
"Steven L Umbach" wrote:
> What makes sense is to have two domain global groups - one for users and one
> for computers that you want the Group Policy to apply to. The user group
> would only apply user configuration and the computer group to computer
> configuration. You could combine them all into one global group but from an
> organizational standpoint I would use separate groups. Most Group Policy is
> applied at logon/startup and at the refresh interval. Note that the default
> interval has a default offset of thirty minus which means it can take up to
> two hours for the refresh interval to apply. You can do a manual refresh
> with secedit /refreshpolicy machine_policy /enforce for Windows 2000
> computers or gpupdate /force for XP/W2003 computers.
>
> If you want to apply Group Policy to all users/computers in an OU, then
> leaving authenticated users as the apply group will work fine. You can use
> the support tool gpresult to see all the groups that a user or computer is
> currently a member of, what Group Policy is applied to a user or computer,
> and the last time it was applied.. --- Steve
>
>
> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> news:5060DB8B-62E1-43C4-B354-267D20D87CE3@microsoft.com...
> > Okay, so that kind of leads me back to my original issue, I have created a
> > Domain level GPO called Mail, in order to test this. The GPO has defined
> > in
> > it, the Trusted Root Certificate that I want specific machines to have
> > installed on it. I removed the Authenticated Users from the Security of
> > the
> > GPO, and added my Test user for the User portion of the policy, and I have
> > added a specific computer by browsing to it. For both I have selected the
> > options to Apply and Read the GPO.
> >
> > According to what I have read, when the machine reboots, or at the poling
> > intervul of 90 minutes I think it was, the computer should pick up and
> > apply
> > the policy. I think I am seeing it work during a reboot, but not the
> > poling.
> > I just tested this. Now, this brings me back to one of my original
> > questions too, asside from having to add each computer as an object to the
> > Security to Apply, can I add the machines to the same User Group and then
> > Apply (Filter) the security on that Group. In this situation this
> > solution
> > seems to be the fastest since I would not have to apply a GPO to each OU
> > that
> > the computers were a part of.
> >
> > On the second method - just to clarify, if I already have my computers
> > assigned to each OU for their respective locations, I would just have to
> > apply my GPO with the Authenticated Users in the Security by default, to
> > enforce the Computer Config on the machines in that OU? Is this also
> > correct.
> >
> > Thanks for the patient responses.
> >
> >
> >
> > "Steven L Umbach" wrote:
> >
> >> You have two options. Either put all the computers in an OU, which could
> >> be
> >> a child OU of an existing OU so that all parent OU computer configuration
> >> settings still can apply to computers in the child OU unless the child OU
> >> has same defined settings which will override same defined settings at
> >> parent level, or filter a Group Policy that would apply to computers so
> >> that
> >> the "apply" permission has only the global groups that contain computers
> >> that you want the Group Policy computer configuration to apply to. Ether
> >> way
> >> the computers must be within the scope of influence of the Group Policy.
> >> The
> >> link below may help if you have not seen it yet. --- Steve
> >>
> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;322176
> >>
> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> news:72BDC33D-EDFB-4BBE-A814-4BD1595958C1@microsoft.com...
> >> > So Steve - back to my original question, since my model is small, it is
> >> > my
> >> > understanding that I can "filter" a particular GPO from the Domain
> >> > Level
> >> > to
> >> > apply only to specific user groups that I have created. (I base that
> >> > statement on Chapter 4 - How Group Policy Works in the Windows 2000
> >> > Server
> >> > doc, on the Technet CD.)
> >> >
> >> > "Administrators can overcome this problem by organizing users and
> >> > computers
> >> > into security groups, and then using these groups to filter the impact
> >> > of
> >> > Group Policy.
> >> >
> >> > The IT department can create groups based on the tasks that their users
> >> > perform, the degree of authority users have to modify their own or
> >> > other
> >> > computers, and the configurations that users need to have. For example,
> >> > the
> >> > IT department could accomplish their goal by creating a security group
> >> > just
> >> > for vice presidents. This can greatly simplify the process of
> >> > administering
> >> > users with disparate configuration and permission requirements.
> >> > Therefore,
> >> > in
> >> > Figure 4.4, the vice presidents' security group might prevent the
> >> > domain
> >> > level GPO (GPO 2) from applying to vice presidents in the Headquarters
> >> > and
> >> > Marketing OUs. "
> >> >
> >> > Based on that, if were to create a domain GPO, and filter based 3
> >> > specific
> >> > groups to apply, and if in those groups I assigned the computers that
> >> > were
> >> > part of each group...would the Computer Configuration be pushed to the
> >> > machines, based on the imported Root Certificate?
> >> >
> >> > Thanks
> >> > J
> >> >
> >> >
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> It is computer configuration which means that the policy is non user
> >> >> specific and will apply to all users that logon to that computer. You
> >> >> can
> >> >> not filter computer configuration policy be user but you could for
> >> >> specific
> >> >> computers or a global group that computers are a member of. I can't
> >> >> think
> >> >> of
> >> >> a work around offhand to have it work for specific users. --- Steve
> >> >>
> >> >>
> >> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> >> news:22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com...
> >> >> > Thanks, so barring adding each computer to the policy where I think
> >> >> > a
> >> >> > user
> >> >> > might log into, would this work: Adding the Computers to the Groups
> >> >> > in
> >> >> > which
> >> >> > the policy is applied to. So that an OU called "Shipping
> >> >> > Department"
> >> >> > has
> >> >> > a
> >> >> > group assigned to it called "Shipping". Members of the Shipping
> >> >> > group
> >> >> > are
> >> >> > user1 and user2. A policy is created with Permissions to apply a
> >> >> > Trusted
> >> >> > Root Certificate to the Shipping Group, which would install the
> >> >> > certificate I
> >> >> > want but only for those particular users. Am I correct in saying
> >> >> > that
> >> >> > I
> >> >> > should just add the computers that are physically located in the
> >> >> > Shipping
> >> >> > Department to the group Shipping, so that all Computer Policies are
> >> >> > applied
> >> >> > to the machine?
> >> >> >
> >> >> > I kind of thought that the computer policies would apply to the
> >> >> > computer
> >> >> > that a particular user logged into, not the a specific computer?
> >> >> > Can
> >> >> > we
> >> >> > verify this? That link that I included for accomplishing these
> >> >> > steps,
> >> >> > said
> >> >> > nothing about adding specific users, in fact it was a Default Domain
> >> >> > Policy?
> >> >> >
> >> >> > Thanks
> >> >> >
> >> >> > "Steven L Umbach" wrote:
> >> >> >
> >> >> >> That policy is "computer configuration". You will have to have that
> >> >> >> policy
> >> >> >> apply to a computer that the user logs onto. For instance if you
> >> >> >> configured
> >> >> >> that Group Policy at the OU level, the computer account will need
> >> >> >> to
> >> >> >> be
> >> >> >> in
> >> >> >> that OU. --- Steve
> >> >> >>
> >> >> >>
> >> >> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> >> >> news:2B70371B-B70B-43AE-86B5-0DCBEFF34E85@microsoft.com...
> >> >> >> >I am looking to attach a certificate to a GPO, under the Trusted
> >> >> >> >Root
> >> >> >> > Certificates so that specific users on the network who access the
> >> >> >> > Secure
> >> >> >> > (https) Outlook Web Agent 2003, will already have the certifiacte
> >> >> >> > installed,
> >> >> >> > and not have to answer yes to a certificate question each time
> >> >> >> > the
> >> >> >> > browser
> >> >> >> > access the website on the exchange server.
> >> >> >> >
> >> >> >> > My attempt has been this, accessed the server and installed the
> >> >> >> > certificate,
> >> >> >> > then I exported the certificate as p7b...I then could mannually
> >> >> >> > go
> >> >> >> > to
> >> >> >> > other
> >> >> >> > machines and import the certificate, but do not want to do that
> >> >> >> > over
> >> >> >> > the
> >> >> >> > enterprise.
> >> >> >> >
> >> >> >> > I created a GPO based on this link:
> >> >> >> > "http://www.microsoft.com/windows2000/techinfo/planning/security/catruststeps.asp#heading2"
> >> >> >> > I applied the policy only to my test user that I created, yet the
> >> >> >> > certificate is never installed as I would have expected it. I
> >> >> >> > suspect
> >> >> >> > that I
> >> >> >> > have missed something, but can't put my finger on it.
> >> >> >> >
> >> >> >> > Any ideas?
> >> >> >> > J
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
- Next message: Daniel Hernandez: "Disabling TCP/IP Services on Windows 2000/ NT Servers"
- Previous message: Steven L Umbach: "Re: Exchange OWA 2003 Trusted Root Certificate"
- In reply to: Steven L Umbach: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Next in thread: Steven L Umbach: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Reply: Steven L Umbach: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
