Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/26/05
- Next message: Roger Abell: "Re: logging data accessed by user"
- Previous message: Javier J: "INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- In reply to: Javier J: "INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- Next in thread: Stephen Cartwright [MSFT]: "Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Apr 2005 06:32:56 -0700
Instead of resetting to installation default per the KB you mention,
it is possible to use the Security Configuration and Analysis mmc
snapin to perform an analysis relative to the settings of that template.
One may then examine the results of the analysis to see differences
between the in-use settings and those that would be impose if the
template were applied.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Javier J" <no.mail@please.no> wrote in message news:voqr6116smnpf3kgbvopv7qfgaot0cpnp9@4ax.com... > INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema? > > Hi all! > > Through a set of circumstances too long to mention, I have been tasked > with testing our company software in a domain hardened as per the > INFOSEC NACOSA 2.1 templates (ICN DC.inf, ICN Domain.inf, > InfosecCmdNS_srv_Ver2.1.inf / InfosecCmdNS_ws_Ver2.1.inf...) > > The issue is, when the operating system is set up according to the > templates (as per the dc_w2ksec_install.doc - "COMPUSEC Technical and > Implementation Directive for Security Settings for Windows 2000 Domain > Controllers" ver 1.1, 15.Aug.2002), when I try to expand the AD schema > (using the Administrator account, that is a member of the Schema > Administrators Group), I get a security error stating that the account > can't do that. > > IF I expand the AD Schema _before_ I set up all the templates, our > application runs just fine, but I need to know which are the settings > (if any) that are interfering with expanding the AD Schema, in order > to "see" how to revert them if possible, what is the impact of doing > so, etc etc. > > I've been trying to find more info on the issue, but the web page that > the doc. refers to for further information > (http://cww.infosec.nato.int/compusec/Win2k_security/w2k_security.htm) > is not avaliable, and I haven't been able to find its "successor". > > So, I'd be more than grateful if anybody with relevant knoweldge would > care to enlighten me. Maybe I'm not supposed to expand de AD Schema > FROM the DC? Maybe there is some security setting I have to tweak?... > > I've found a page at microsoft that tells: "How to Reset User Rights > in the Default Domain Controllers Group Policy Object" > (http://support.microsoft.com/?id=267553), but I'm quite reluctant to > use such a "shotgun" approach. > > Any and all help will be appreciate to an inordinate extent. > > Thanks a lot for reading this far. > > Javier J
- Next message: Roger Abell: "Re: logging data accessed by user"
- Previous message: Javier J: "INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- In reply to: Javier J: "INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- Next in thread: Stephen Cartwright [MSFT]: "Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
