SCW question.

Hello,

I am noticing some interesting results when using the SCW and Group Policies
combined. I am wondering if someone can enlighten me on the GPO processing.
I am following the Microsoft Windows 2003 security guide and have a Member
server GPO (using Security templates) and below that I have an OU for an SMS
Server (but the question here is more for the IIS services of the Management
point.) I have created a GPO for the SMS and had issues with the Management
point requiring IUSR_COMPUTERNAME and IWAM_COMPUTERNAME requiring logon
locally, Access this computer from the Network, Log on as a Batch job and
such. In the GPO's I created I cannot add these local computer user accounts
to the User Rights assignments portion. I ended up creating a new SMS GPO
which overrode the Member server settings for those User Rights and set them
to not defined. This worked and the MP work fine. I revisited and created a
local group for the IUSR and IWAM user accoutns and referenced it in the
GPO...this worked and everything was working fine. Then I decided to play
with SCW and see if it had any gains for me.

Here is where I am confused...I ran the SCW wizard and used the XML file to
create a GPO. Prior to applying the GPO I ran the SCW and applied the Policy
to the local computer. Upon reboot I noticed that the local IUSR and IWAM
users were in the appropriate user rights for IIS to function. I rebooted
again and lo and behold there they were again. Now I ran RSOP and they do
not show up in there (obviously..since they are not referenced in the GPO
that is being applied to the Computer).

SO my question is...where are these settings coming from? If they reside in
the local policy...why aren't they overwritten by the OU GPO which has
different settings? I understood that the Local policy will be overwritten
by an AD policy. It seems that the AD Policy is used bu the IUSR and IWAM
users are added to the specific rights. I am just trying to find out why and
where this setting and functionality resides on the local Computer.

I hope I have explained with enough detail..if not..I will check back and
provide any information required. It is great that the SCW provided me what
I needed...but I need to understand why so I can document it.

Dan


.

Relevant Pages

  • Display GPO Settings: GPMC 1.0.2 Bug?
    ... configuration wizard SCW and converted them into GPO's. ... They are displayed correctly when editing the GPO, ... the settings in the GPMC Console, NOR when saving the GPO Settings as a HTML ...
    (microsoft.public.windows.group_policy)
  • Re: local Client security log
    ... You can configure audit settings under Computer configuration\Windows ... Settings\Security settings\local policies\audit policy section of the GPO. ... local computer starts getting security logs. ... from the Domains group policy if so where and if not how ...
    (microsoft.public.windows.group_policy)
  • Re: SCW question.
    ... I think that what you are seeing can be explained by the fact that a GPO ... when the accounts were added directly in the local policy into the ... for the user rights is one way that I handle this issue. ... I am noticing some interesting results when using the SCW and Group ...
    (microsoft.public.windows.server.security)
  • RE: GPO settings are not applied
    ... Microsoft Windows XP Operating System Group Policy Result tool v2.0 ... GPO: Automatic_Updates ... GPO: Default Domain Policy ... Secure Proxy Server: N/A ...
    (microsoft.public.windows.server.active_directory)
  • Re: Set GPO for specific user group
    ... OK, now the new GPO is listed, but the ie homepage is still set to ... Microsoft Windows XP Operating System Group Policy Result too ... Small Business Server Domain Password Policy ... Filtering: Denied ...
    (microsoft.public.windows.server.sbs)