Re: Exchange OWA 2003 Trusted Root Certificate

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/17/05 

Date: Wed, 16 Feb 2005 20:43:15 -0600

If you have a Group Policy where no computer configuration is defined it
makes sense to disable the computer part of the Group Policy. Just keep in
mind that it is disabled because we tend to forget such as time goes on and
someday if you do define a computer configuration setting it obviously will
not work until you enable the computer configuration portion of the Group
Policy. If you are using Group Policy Management console [via an XP Pro
domain computer for W2K domain] it will be easier to see such. --- Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

"Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
news:6B79FBDD-B636-494B-AD5E-8A16C31A243A@microsoft.com...
> Actually that was not the only thing I was trying to accomplish. There
> are
> specific user configurations that I will be performing as well. But my
> whole
> issue was that When I removed Authenticated Users from the default setting
> for the Apply of the GPO, the computer configuration was not applied, when
> I
> used this GPO at the domain level, since Domain Computers are a member of
> Authenticated Users, other GPO's that I made computer config changes to,
> worked just fine. Once I modified a group to include the specific
> computers
> that would get this particular config, and applied it to the GPO (filter)
> everything worked like a charm.
>
> I do have another question, raised by your comment below. I notice there
> are options for the GPO to Disable User or Computer Configuration
> Settings.
> When I have a policy (not this one), that has Authenticated Users as the
> default, and I have left this setting as is, but made no comptuer
> changes -
> is it safe to assume that the computer configuration is skipped - or in a
> domain of less than 50 users, do I care? Is performance really a concern?
>
> "Paul Adare" wrote:
>
>> In article <gsGdnUQ-Y5-o44_fRVn-og@comcast.com>, in the
>> microsoft.public.win2000.security news group, Steven L Umbach <n9rou@n0-
>> spam-for-me-comcast.net> says...
>>
>> > That should work fine with the GPO at the domain level. --- Steve
>> >
>> > "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> > news:A340D0EB-BB20-41E7-8478-42D257B72CBF@microsoft.com...
>> > > So for this example, create 2 Global Groups, perhaps one called
>> > > Mail_Users
>> > > and the other Mail_Workstations. Then assign the users and computers
>> > > to
>> > > each
>> > > respective group, and use those two groups in the GPO Security
>> > > settings to
>> > > Apply and then what - Assign the GPO to the Domain?. Am I following
>> > > you
>> > > correctly?
>> >
>>
>> If all the OP is trying to do here is to push the required root
>> certificate out however, there is no need for the Mail_Users group at
>> all. Since the Public Key policy settings are in the Computer
>> Configuration section of the GPO, that section will _never_ be processed
>> by user. Giving them permissions on a GPO that they will never process
>> doesn't accomplish anything. In fact, as a best practice, if a GPO
>> contains _only_ user or _only_ computer settings processing of the empty
>> section of the GPO should be disabled for performance reasons. No point
>> processing a GPO that doesn't contain settings that will be applied.
>>
>> --
>> Paul Adare
>> "On two occasions, I have been asked [by members of Parliament],
>> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
>> will the right answers come out?' I am not able to rightly apprehend
>> the kind of confusion of ideas that could provoke such a question."
>> -- Charles Babbage (1791-1871)
>>

Relevant Pages

  • Re: Problem applying custom Group Policy
    ... I have tested to make some settings in Computer Configuration (in ... answer is in the OU to which this GPO is linked! ... Microsoft Windows 2000 Operating System Group Policy Result ... Local Group Policy ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to disallow group policies on windows 2000 servers
    ... If the settings are applied via computer configuration in the GPO to the ... > awhile it gets annoying when I login to multiple servers. ... > only disallow the running of this group policy if an administrator or user ...
    (microsoft.public.win2000.active_directory)
  • Re: Group policy
    ... > The group policy is very frustrating. ... You're confusing domain user accounts and local user ... Because you linked the GPO ... will computer configuration parts of the GPO takes ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Software Restriction Policies
    ... If you applied it via Group Policy at the domain or Organizational Unit ... default security level to unrestricted or unlink the GPO that is applying ... the settings to the user or computer depending on where the policy is being ... applied - user or computer configuration. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Remove Shut Down
    ... Are you familiar with Group Policy? ... I believe that you can control this via ... This would be on the computer configuration side of things. ... computer account objects into that OU and then linked the GPO to this OU. ...
    (microsoft.public.win2000.active_directory)
Quantcast