Re: SCW question.
- From: "Dan Kyle" <beaker@xxxxxxxxxxxxx>
- Date: Wed, 8 Nov 2006 08:41:02 -0500
Thank you for the response.
The interesting thing is..I have made a small change to the GPO (and deleted
the winlogon.log) and rebooted...the new GPO gets applied..but I still see
the IUSR and IWAM users in the local security policy. THe Winlogon.log shows
the SID for the accounts and shows it as "remove SeNetworkLogonRight, Remove
SeInteractiveLogonRight and Remove SeBatchLogonRight". No where else inthe
Winlogon.log file do I see where it gets added. I must be missing something
obvious here (and apologize if I am) but do not see where these rights are
getting applied.
I am interested in you Administrator+LCLLogin and LCLbatch....but do not
quite understand..can you elaborate? What I have done is created a group on
each of the servers with the same role and named the group the same. That
way when I use the name of the group in the GPO it applies to all the
servers.
Dan
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:ebNiGGvAHHA.3604@xxxxxxxxxxxxxxxxxxxxxxx
I think that what you are seeing can be explained by the fact that a GPO
is applied when it has been seen to have changed based on its version
number. Once applied, if defaults for policy application are still in
effect,
then it will not be reapplied until/unless it is seen as changed.
So, when the accounts were added directly in the local policy into the
user rights due to your application of the SCW results, and you are then
concerned that the GPO is not redefining these, this may be the reason.
You could for example make a minor, insignificant change to some
setting in the GPO, and then later reverse this, in order to increase the
version number of the GPO, and you should see the machine later noticing
this and reapplying the GPO.
On another note, your approach of defining a group to use in the GPO
for the user rights is one way that I handle this issue. Basically, where
you have a GPO applying something like these user rights that very often
need to be quite unique per machine, if one lists the actual machine local
accounts (you can do this, you just need to type them in rather than
expecting
to pick them via the user interface) then one ends up with a GPO per
unique
machine. That is not so convenient. Instead, I use such as LclLogin,
LclBatch,
etc. and then set the user right in the GPO to Administrators+LclLogin, or
to
LclBatch, etc. and the one GPO can apply to a number of machines where
each machine defines its own LclLogin, LclBatch etc membership (again, one
needs to type in the group names).
"Dan Kyle" <beaker@xxxxxxxxxxxxx> wrote in message
news:OZlCDhoAHHA.3604@xxxxxxxxxxxxxxxxxxxxxxx
Hello,
I am noticing some interesting results when using the SCW and Group
Policies combined. I am wondering if someone can enlighten me on the GPO
processing. I am following the Microsoft Windows 2003 security guide and
have a Member server GPO (using Security templates) and below that I have
an OU for an SMS Server (but the question here is more for the IIS
services of the Management point.) I have created a GPO for the SMS and
had issues with the Management point requiring IUSR_COMPUTERNAME and
IWAM_COMPUTERNAME requiring logon locally, Access this computer from the
Network, Log on as a Batch job and such. In the GPO's I created I cannot
add these local computer user accounts to the User Rights assignments
portion. I ended up creating a new SMS GPO which overrode the Member
server settings for those User Rights and set them to not defined. This
worked and the MP work fine. I revisited and created a local group for
the IUSR and IWAM user accoutns and referenced it in the GPO...this
worked and everything was working fine. Then I decided to play with SCW
and see if it had any gains for me.
Here is where I am confused...I ran the SCW wizard and used the XML file
to create a GPO. Prior to applying the GPO I ran the SCW and applied the
Policy to the local computer. Upon reboot I noticed that the local IUSR
and IWAM users were in the appropriate user rights for IIS to function. I
rebooted again and lo and behold there they were again. Now I ran RSOP
and they do not show up in there (obviously..since they are not
referenced in the GPO that is being applied to the Computer).
SO my question is...where are these settings coming from? If they reside
in the local policy...why aren't they overwritten by the OU GPO which has
different settings? I understood that the Local policy will be
overwritten by an AD policy. It seems that the AD Policy is used bu the
IUSR and IWAM users are added to the specific rights. I am just trying to
find out why and where this setting and functionality resides on the
local Computer.
I hope I have explained with enough detail..if not..I will check back and
provide any information required. It is great that the SCW provided me
what I needed...but I need to understand why so I can document it.
Dan
.
- Follow-Ups:
- Re: SCW question.
- From: Roger Abell [MVP]
- Re: SCW question.
- References:
- SCW question.
- From: Dan Kyle
- Re: SCW question.
- From: Roger Abell [MVP]
- SCW question.
- Prev by Date: Re: Encrypted Files - Access Denied
- Next by Date: Re: GPO for trusted root CA certs
- Previous by thread: Re: SCW question.
- Next by thread: Re: SCW question.
- Index(es):
Relevant Pages
|
|
