Re: SCW question.

I think that what you are seeing can be explained by the fact that a GPO
is applied when it has been seen to have changed based on its version
number. Once applied, if defaults for policy application are still in
effect,
then it will not be reapplied until/unless it is seen as changed.
So, when the accounts were added directly in the local policy into the
user rights due to your application of the SCW results, and you are then
concerned that the GPO is not redefining these, this may be the reason.
You could for example make a minor, insignificant change to some
setting in the GPO, and then later reverse this, in order to increase the
version number of the GPO, and you should see the machine later noticing
this and reapplying the GPO.

On another note, your approach of defining a group to use in the GPO
for the user rights is one way that I handle this issue. Basically, where
you have a GPO applying something like these user rights that very often
need to be quite unique per machine, if one lists the actual machine local
accounts (you can do this, you just need to type them in rather than
expecting
to pick them via the user interface) then one ends up with a GPO per unique
machine. That is not so convenient. Instead, I use such as LclLogin,
LclBatch,
etc. and then set the user right in the GPO to Administrators+LclLogin, or
to
LclBatch, etc. and the one GPO can apply to a number of machines where
each machine defines its own LclLogin, LclBatch etc membership (again, one
needs to type in the group names).


"Dan Kyle" <beaker@xxxxxxxxxxxxx> wrote in message
news:OZlCDhoAHHA.3604@xxxxxxxxxxxxxxxxxxxxxxx
Hello,

I am noticing some interesting results when using the SCW and Group
Policies combined. I am wondering if someone can enlighten me on the GPO
processing. I am following the Microsoft Windows 2003 security guide and
have a Member server GPO (using Security templates) and below that I have
an OU for an SMS Server (but the question here is more for the IIS
services of the Management point.) I have created a GPO for the SMS and
had issues with the Management point requiring IUSR_COMPUTERNAME and
IWAM_COMPUTERNAME requiring logon locally, Access this computer from the
Network, Log on as a Batch job and such. In the GPO's I created I cannot
add these local computer user accounts to the User Rights assignments
portion. I ended up creating a new SMS GPO which overrode the Member
server settings for those User Rights and set them to not defined. This
worked and the MP work fine. I revisited and created a local group for the
IUSR and IWAM user accoutns and referenced it in the GPO...this worked and
everything was working fine. Then I decided to play with SCW and see if it
had any gains for me.

Here is where I am confused...I ran the SCW wizard and used the XML file
to create a GPO. Prior to applying the GPO I ran the SCW and applied the
Policy to the local computer. Upon reboot I noticed that the local IUSR
and IWAM users were in the appropriate user rights for IIS to function. I
rebooted again and lo and behold there they were again. Now I ran RSOP and
they do not show up in there (obviously..since they are not referenced in
the GPO that is being applied to the Computer).

SO my question is...where are these settings coming from? If they reside
in the local policy...why aren't they overwritten by the OU GPO which has
different settings? I understood that the Local policy will be overwritten
by an AD policy. It seems that the AD Policy is used bu the IUSR and IWAM
users are added to the specific rights. I am just trying to find out why
and where this setting and functionality resides on the local Computer.

I hope I have explained with enough detail..if not..I will check back and
provide any information required. It is great that the SCW provided me
what I needed...but I need to understand why so I can document it.

Dan



.

Relevant Pages

  • SCW question.
    ... I am noticing some interesting results when using the SCW and Group Policies ... I am wondering if someone can enlighten me on the GPO processing. ... In the GPO's I created I cannot add these local computer user accounts ... Prior to applying the GPO I ran the SCW and applied the Policy ...
    (microsoft.public.windows.server.security)
  • Re: SCW question.
    ... That gives a "middle ground" stance, where GPO does ... does also (I do not use Iusr_/Iwam_ but always define custom accounts). ... not populated into the minimum required user rights upon startup if needed. ... still see the IUSR and IWAM users in the local security policy. ...
    (microsoft.public.windows.server.security)
  • Re: SCW question.
    ... The interesting thing is..I have made a small change to the GPO (and deleted ... the IUSR and IWAM users in the local security policy. ... for the user rights is one way that I handle this issue. ...
    (microsoft.public.windows.server.security)
  • Re: Default Domain Controller GPO Question
    ... DC policy, rather than hoping that the new one doesn't screw up something. ... But, to answer your question, the best way would be to link a new GPO to the ... In terms of conflicting settings, ... > admins added numerous users/groups to certain user rights policies). ...
    (microsoft.public.win2000.group_policy)
  • Default Domain Controller GPO Question
    ... The "Default Domain Controller Policy" for my ... production AD has been modified numerous times (just the user rights ... We would like to link a newly created DC Security policy.inf file via a GPO ... admins added numerous users/groups to certain user rights policies). ...
    (microsoft.public.win2000.group_policy)