Re: SCW question.

From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
Date: Wed, 8 Nov 2006 22:07:14 -0700

What you describe that you have done with a uniformly named local group
on each machine, which same group is named in the GPO, is precisely what
I was also outlining. That gives a "middle ground" stance, where GPO does
(somewhat) control the user right, but where per-machine uniqueness is also
possible via the per-machine membership in the uniformly named local group.

As to the Iusr_ and Iwam_ I would need to check for your version W2k3/IIS6,
but I know that W2k/IIS5 had the following behavior, and I think W2k3/IIS6
does also (I do not use Iusr_/Iwam_ but always define custom accounts).
The behavior that I know was so in IIS 5 is that on startup the IIS binaries
verifies that the accounts have the needed user rights if and only if the
accounts
are the default Iusr_machine and Iwam_machine; but if custom accounts are
used for the anonymous browse or the IIS com isolation components these are
not populated into the minimum required user rights upon startup if needed.
Again, I would have to check if the behavior remains, but it would explain
what you see.

"Dan Kyle" <beaker@xxxxxxxxxxxxx> wrote in message
news:%23X%23DLuzAHHA.2328@xxxxxxxxxxxxxxxxxxxxxxx

Thank you for the response.

The interesting thing is..I have made a small change to the GPO (and
deleted the winlogon.log) and rebooted...the new GPO gets applied..but I
still see the IUSR and IWAM users in the local security policy. THe
Winlogon.log shows the SID for the accounts and shows it as "remove
SeNetworkLogonRight, Remove SeInteractiveLogonRight and Remove
SeBatchLogonRight". No where else inthe Winlogon.log file do I see where
it gets added. I must be missing something obvious here (and apologize if
I am) but do not see where these rights are getting applied.

I am interested in you Administrator+LCLLogin and LCLbatch....but do not
quite understand..can you elaborate? What I have done is created a group
on each of the servers with the same role and named the group the same.
That way when I use the name of the group in the GPO it applies to all the
servers.

Dan

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:ebNiGGvAHHA.3604@xxxxxxxxxxxxxxxxxxxxxxx

I think that what you are seeing can be explained by the fact that a GPO
is applied when it has been seen to have changed based on its version
number. Once applied, if defaults for policy application are still in
effect,
then it will not be reapplied until/unless it is seen as changed.
So, when the accounts were added directly in the local policy into the
user rights due to your application of the SCW results, and you are then
concerned that the GPO is not redefining these, this may be the reason.
You could for example make a minor, insignificant change to some
setting in the GPO, and then later reverse this, in order to increase the
version number of the GPO, and you should see the machine later noticing
this and reapplying the GPO.

On another note, your approach of defining a group to use in the GPO
for the user rights is one way that I handle this issue. Basically,
where
you have a GPO applying something like these user rights that very often
need to be quite unique per machine, if one lists the actual machine
local
accounts (you can do this, you just need to type them in rather than
expecting
to pick them via the user interface) then one ends up with a GPO per
unique
machine. That is not so convenient. Instead, I use such as LclLogin,
LclBatch,
etc. and then set the user right in the GPO to Administrators+LclLogin,
or to
LclBatch, etc. and the one GPO can apply to a number of machines where
each machine defines its own LclLogin, LclBatch etc membership (again,
one
needs to type in the group names).

"Dan Kyle" <beaker@xxxxxxxxxxxxx> wrote in message
news:OZlCDhoAHHA.3604@xxxxxxxxxxxxxxxxxxxxxxx

Hello,

I am noticing some interesting results when using the SCW and Group
Policies combined. I am wondering if someone can enlighten me on the GPO
processing. I am following the Microsoft Windows 2003 security guide and
have a Member server GPO (using Security templates) and below that I
have an OU for an SMS Server (but the question here is more for the IIS
services of the Management point.) I have created a GPO for the SMS and
had issues with the Management point requiring IUSR_COMPUTERNAME and
IWAM_COMPUTERNAME requiring logon locally, Access this computer from the
Network, Log on as a Batch job and such. In the GPO's I created I cannot
add these local computer user accounts to the User Rights assignments
portion. I ended up creating a new SMS GPO which overrode the Member
server settings for those User Rights and set them to not defined. This
worked and the MP work fine. I revisited and created a local group for
the IUSR and IWAM user accoutns and referenced it in the GPO...this
worked and everything was working fine. Then I decided to play with SCW
and see if it had any gains for me.

Here is where I am confused...I ran the SCW wizard and used the XML file
to create a GPO. Prior to applying the GPO I ran the SCW and applied the
Policy to the local computer. Upon reboot I noticed that the local IUSR
and IWAM users were in the appropriate user rights for IIS to function.
I rebooted again and lo and behold there they were again. Now I ran RSOP
and they do not show up in there (obviously..since they are not
referenced in the GPO that is being applied to the Computer).

SO my question is...where are these settings coming from? If they reside
in the local policy...why aren't they overwritten by the OU GPO which
has different settings? I understood that the Local policy will be
overwritten by an AD policy. It seems that the AD Policy is used bu the
IUSR and IWAM users are added to the specific rights. I am just trying
to find out why and where this setting and functionality resides on the
local Computer.

I hope I have explained with enough detail..if not..I will check back
and provide any information required. It is great that the SCW provided
me what I needed...but I need to understand why so I can document it.

Dan

Follow-Ups:
- Re: SCW question.
  - From: Dan Kyle

References:
- SCW question.
  - From: Dan Kyle
- Re: SCW question.
  - From: Roger Abell [MVP]
- Re: SCW question.
  - From: Dan Kyle

Prev by Date: Re: GPO for trusted root CA certs
Next by Date: Re: SCW question.
Previous by thread: Re: SCW question.
Next by thread: Re: SCW question.
Index(es):
- Date
- Thread

Relevant Pages

RE: Group Policy: multiple password policies in the same domain?
... > it under access to the GPO. ... The conflict only happens when both policies ... results in having the policy denied. ... > user accounts it affects be able to read it and have "apply ...
(Focus-Microsoft)
Re: Strong Passwords
... You can always tell which part of a GPO must be enabled by ... I'll setup a new Policy at the domain level. ... > "Roger Abell" wrote: ... >> impact only on the machine local accounts of machines in the OU. ...
(microsoft.public.security)
Re: Exclude from GPO ..
... I only put in the user accounts that should not have the ... Users" group is assigned with Read and Apply Group Policy ... ... I then created a new GPO with the settings I ... need to password protect a screen saver to go off at 15 minutes. ...
(microsoft.public.windows.server.active_directory)
Re: Advise to password policy
... The policy that governs password aging is applied all or none to all ... Another thing one can do is to use a staged expiration. ... I had a total 200 over user accounts with most of them over the 90 days ... Perhaps using the AD user account "password never expire" field or GPO ...
(microsoft.public.security)
Re: Default Domain Policy Question
... > Domain controllers read password policy from the domain ... Account policies when GPO is linked to the DC OU. ... > There can only be one policy per domain for domain accounts. ...
(microsoft.public.windows.group_policy)