Re: Exchange OWA 2003 Trusted Root Certificate
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 02/15/05
- Next message: Steven L Umbach: "Re: Disabling TCP/IP Services on Windows 2000/ NT Servers"
- Previous message: BogdanSUA: "Old admin took password to his grave"
- In reply to: Smurfman: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Next in thread: Paul Adare: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Reply: Paul Adare: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Feb 2005 16:57:15 -0600
That should work fine with the GPO at the domain level. --- Steve
"Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
news:A340D0EB-BB20-41E7-8478-42D257B72CBF@microsoft.com...
> So for this example, create 2 Global Groups, perhaps one called Mail_Users
> and the other Mail_Workstations. Then assign the users and computers to
> each
> respective group, and use those two groups in the GPO Security settings to
> Apply and then what - Assign the GPO to the Domain?. Am I following you
> correctly?
>
> Thanks
>
> "Steven L Umbach" wrote:
>
>> What makes sense is to have two domain global groups - one for users and
>> one
>> for computers that you want the Group Policy to apply to. The user group
>> would only apply user configuration and the computer group to computer
>> configuration. You could combine them all into one global group but from
>> an
>> organizational standpoint I would use separate groups. Most Group Policy
>> is
>> applied at logon/startup and at the refresh interval. Note that the
>> default
>> interval has a default offset of thirty minus which means it can take up
>> to
>> two hours for the refresh interval to apply. You can do a manual refresh
>> with secedit /refreshpolicy machine_policy /enforce for Windows 2000
>> computers or gpupdate /force for XP/W2003 computers.
>>
>> If you want to apply Group Policy to all users/computers in an OU, then
>> leaving authenticated users as the apply group will work fine. You can
>> use
>> the support tool gpresult to see all the groups that a user or computer
>> is
>> currently a member of, what Group Policy is applied to a user or
>> computer,
>> and the last time it was applied.. --- Steve
>>
>>
>> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> news:5060DB8B-62E1-43C4-B354-267D20D87CE3@microsoft.com...
>> > Okay, so that kind of leads me back to my original issue, I have
>> > created a
>> > Domain level GPO called Mail, in order to test this. The GPO has
>> > defined
>> > in
>> > it, the Trusted Root Certificate that I want specific machines to have
>> > installed on it. I removed the Authenticated Users from the Security
>> > of
>> > the
>> > GPO, and added my Test user for the User portion of the policy, and I
>> > have
>> > added a specific computer by browsing to it. For both I have selected
>> > the
>> > options to Apply and Read the GPO.
>> >
>> > According to what I have read, when the machine reboots, or at the
>> > poling
>> > intervul of 90 minutes I think it was, the computer should pick up and
>> > apply
>> > the policy. I think I am seeing it work during a reboot, but not the
>> > poling.
>> > I just tested this. Now, this brings me back to one of my original
>> > questions too, asside from having to add each computer as an object to
>> > the
>> > Security to Apply, can I add the machines to the same User Group and
>> > then
>> > Apply (Filter) the security on that Group. In this situation this
>> > solution
>> > seems to be the fastest since I would not have to apply a GPO to each
>> > OU
>> > that
>> > the computers were a part of.
>> >
>> > On the second method - just to clarify, if I already have my computers
>> > assigned to each OU for their respective locations, I would just have
>> > to
>> > apply my GPO with the Authenticated Users in the Security by default,
>> > to
>> > enforce the Computer Config on the machines in that OU? Is this also
>> > correct.
>> >
>> > Thanks for the patient responses.
>> >
>> >
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> You have two options. Either put all the computers in an OU, which
>> >> could
>> >> be
>> >> a child OU of an existing OU so that all parent OU computer
>> >> configuration
>> >> settings still can apply to computers in the child OU unless the child
>> >> OU
>> >> has same defined settings which will override same defined settings at
>> >> parent level, or filter a Group Policy that would apply to computers
>> >> so
>> >> that
>> >> the "apply" permission has only the global groups that contain
>> >> computers
>> >> that you want the Group Policy computer configuration to apply to.
>> >> Ether
>> >> way
>> >> the computers must be within the scope of influence of the Group
>> >> Policy.
>> >> The
>> >> link below may help if you have not seen it yet. --- Steve
>> >>
>> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;322176
>> >>
>> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> >> news:72BDC33D-EDFB-4BBE-A814-4BD1595958C1@microsoft.com...
>> >> > So Steve - back to my original question, since my model is small, it
>> >> > is
>> >> > my
>> >> > understanding that I can "filter" a particular GPO from the Domain
>> >> > Level
>> >> > to
>> >> > apply only to specific user groups that I have created. (I base
>> >> > that
>> >> > statement on Chapter 4 - How Group Policy Works in the Windows 2000
>> >> > Server
>> >> > doc, on the Technet CD.)
>> >> >
>> >> > "Administrators can overcome this problem by organizing users and
>> >> > computers
>> >> > into security groups, and then using these groups to filter the
>> >> > impact
>> >> > of
>> >> > Group Policy.
>> >> >
>> >> > The IT department can create groups based on the tasks that their
>> >> > users
>> >> > perform, the degree of authority users have to modify their own or
>> >> > other
>> >> > computers, and the configurations that users need to have. For
>> >> > example,
>> >> > the
>> >> > IT department could accomplish their goal by creating a security
>> >> > group
>> >> > just
>> >> > for vice presidents. This can greatly simplify the process of
>> >> > administering
>> >> > users with disparate configuration and permission requirements.
>> >> > Therefore,
>> >> > in
>> >> > Figure 4.4, the vice presidents' security group might prevent the
>> >> > domain
>> >> > level GPO (GPO 2) from applying to vice presidents in the
>> >> > Headquarters
>> >> > and
>> >> > Marketing OUs. "
>> >> >
>> >> > Based on that, if were to create a domain GPO, and filter based 3
>> >> > specific
>> >> > groups to apply, and if in those groups I assigned the computers
>> >> > that
>> >> > were
>> >> > part of each group...would the Computer Configuration be pushed to
>> >> > the
>> >> > machines, based on the imported Root Certificate?
>> >> >
>> >> > Thanks
>> >> > J
>> >> >
>> >> >
>> >> >
>> >> > "Steven L Umbach" wrote:
>> >> >
>> >> >> It is computer configuration which means that the policy is non
>> >> >> user
>> >> >> specific and will apply to all users that logon to that computer.
>> >> >> You
>> >> >> can
>> >> >> not filter computer configuration policy be user but you could for
>> >> >> specific
>> >> >> computers or a global group that computers are a member of. I can't
>> >> >> think
>> >> >> of
>> >> >> a work around offhand to have it work for specific users. --- Steve
>> >> >>
>> >> >>
>> >> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> >> >> news:22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com...
>> >> >> > Thanks, so barring adding each computer to the policy where I
>> >> >> > think
>> >> >> > a
>> >> >> > user
>> >> >> > might log into, would this work: Adding the Computers to the
>> >> >> > Groups
>> >> >> > in
>> >> >> > which
>> >> >> > the policy is applied to. So that an OU called "Shipping
>> >> >> > Department"
>> >> >> > has
>> >> >> > a
>> >> >> > group assigned to it called "Shipping". Members of the Shipping
>> >> >> > group
>> >> >> > are
>> >> >> > user1 and user2. A policy is created with Permissions to apply a
>> >> >> > Trusted
>> >> >> > Root Certificate to the Shipping Group, which would install the
>> >> >> > certificate I
>> >> >> > want but only for those particular users. Am I correct in saying
>> >> >> > that
>> >> >> > I
>> >> >> > should just add the computers that are physically located in the
>> >> >> > Shipping
>> >> >> > Department to the group Shipping, so that all Computer Policies
>> >> >> > are
>> >> >> > applied
>> >> >> > to the machine?
>> >> >> >
>> >> >> > I kind of thought that the computer policies would apply to the
>> >> >> > computer
>> >> >> > that a particular user logged into, not the a specific computer?
>> >> >> > Can
>> >> >> > we
>> >> >> > verify this? That link that I included for accomplishing these
>> >> >> > steps,
>> >> >> > said
>> >> >> > nothing about adding specific users, in fact it was a Default
>> >> >> > Domain
>> >> >> > Policy?
>> >> >> >
>> >> >> > Thanks
>> >> >> >
>> >> >> > "Steven L Umbach" wrote:
>> >> >> >
>> >> >> >> That policy is "computer configuration". You will have to have
>> >> >> >> that
>> >> >> >> policy
>> >> >> >> apply to a computer that the user logs onto. For instance if you
>> >> >> >> configured
>> >> >> >> that Group Policy at the OU level, the computer account will
>> >> >> >> need
>> >> >> >> to
>> >> >> >> be
>> >> >> >> in
>> >> >> >> that OU. --- Steve
>> >> >> >>
>> >> >> >>
>> >> >> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> >> >> >> news:2B70371B-B70B-43AE-86B5-0DCBEFF34E85@microsoft.com...
>> >> >> >> >I am looking to attach a certificate to a GPO, under the
>> >> >> >> >Trusted
>> >> >> >> >Root
>> >> >> >> > Certificates so that specific users on the network who access
>> >> >> >> > the
>> >> >> >> > Secure
>> >> >> >> > (https) Outlook Web Agent 2003, will already have the
>> >> >> >> > certifiacte
>> >> >> >> > installed,
>> >> >> >> > and not have to answer yes to a certificate question each time
>> >> >> >> > the
>> >> >> >> > browser
>> >> >> >> > access the website on the exchange server.
>> >> >> >> >
>> >> >> >> > My attempt has been this, accessed the server and installed
>> >> >> >> > the
>> >> >> >> > certificate,
>> >> >> >> > then I exported the certificate as p7b...I then could
>> >> >> >> > mannually
>> >> >> >> > go
>> >> >> >> > to
>> >> >> >> > other
>> >> >> >> > machines and import the certificate, but do not want to do
>> >> >> >> > that
>> >> >> >> > over
>> >> >> >> > the
>> >> >> >> > enterprise.
>> >> >> >> >
>> >> >> >> > I created a GPO based on this link:
>> >> >> >> > "http://www.microsoft.com/windows2000/techinfo/planning/security/catruststeps.asp#heading2"
>> >> >> >> > I applied the policy only to my test user that I created, yet
>> >> >> >> > the
>> >> >> >> > certificate is never installed as I would have expected it. I
>> >> >> >> > suspect
>> >> >> >> > that I
>> >> >> >> > have missed something, but can't put my finger on it.
>> >> >> >> >
>> >> >> >> > Any ideas?
>> >> >> >> > J
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
- Next message: Steven L Umbach: "Re: Disabling TCP/IP Services on Windows 2000/ NT Servers"
- Previous message: BogdanSUA: "Old admin took password to his grave"
- In reply to: Smurfman: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Next in thread: Paul Adare: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Reply: Paul Adare: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
