Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?
From: Stephen Cartwright [MSFT] (scart_at_online.microsoft.com)
Date: 04/26/05
- Next message: Joe Richards [MVP]: "Re: Anyone know how to Use DSACLS to add perms to Machine account?"
- Previous message: Kenneth Bryant: "Logon Problem"
- In reply to: Javier J: "INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- Next in thread: Javier J: "Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- Reply: Javier J: "Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Apr 2005 08:52:11 -0700
You can use the Security Analysis and Configuration tool to compare the
existing settings against the template you want to use. That should indicate
where the differences are and what you might therefore need to "tweak" to
get the desired settings.
The NATO link you added, is that a local intranet link as its not visible.
NATO is a company now :)
Good luck.
-- Stephen Cartwright [MSFT] "This posting is provided "AS IS" with no warranties, and confers no rights." "Javier J" <no.mail@please.no> wrote in message news:voqr6116smnpf3kgbvopv7qfgaot0cpnp9@4ax.com... > INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema? > > Hi all! > > Through a set of circumstances too long to mention, I have been tasked > with testing our company software in a domain hardened as per the > INFOSEC NACOSA 2.1 templates (ICN DC.inf, ICN Domain.inf, > InfosecCmdNS_srv_Ver2.1.inf / InfosecCmdNS_ws_Ver2.1.inf...) > > The issue is, when the operating system is set up according to the > templates (as per the dc_w2ksec_install.doc - "COMPUSEC Technical and > Implementation Directive for Security Settings for Windows 2000 Domain > Controllers" ver 1.1, 15.Aug.2002), when I try to expand the AD schema > (using the Administrator account, that is a member of the Schema > Administrators Group), I get a security error stating that the account > can't do that. > > IF I expand the AD Schema _before_ I set up all the templates, our > application runs just fine, but I need to know which are the settings > (if any) that are interfering with expanding the AD Schema, in order > to "see" how to revert them if possible, what is the impact of doing > so, etc etc. > > I've been trying to find more info on the issue, but the web page that > the doc. refers to for further information > (http://cww.infosec.nato.int/compusec/Win2k_security/w2k_security.htm) > is not avaliable, and I haven't been able to find its "successor". > > So, I'd be more than grateful if anybody with relevant knoweldge would > care to enlighten me. Maybe I'm not supposed to expand de AD Schema > FROM the DC? Maybe there is some security setting I have to tweak?... > > I've found a page at microsoft that tells: "How to Reset User Rights > in the Default Domain Controllers Group Policy Object" > (http://support.microsoft.com/?id=267553), but I'm quite reluctant to > use such a "shotgun" approach. > > Any and all help will be appreciate to an inordinate extent. > > Thanks a lot for reading this far. > > Javier J
- Next message: Joe Richards [MVP]: "Re: Anyone know how to Use DSACLS to add perms to Machine account?"
- Previous message: Kenneth Bryant: "Logon Problem"
- In reply to: Javier J: "INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- Next in thread: Javier J: "Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- Reply: Javier J: "Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
