Solved

Windows Server 2000 - Group Policy

Posted on 2004-04-03
8
329 Views
Last Modified: 2010-04-19
Hi Experts,

I have a problem here with assigning the group policy objects.

From my understanding, GPOs applied from bottom to top in the Group Policy settings. And GPOs higher in the list will have a higher priority.

I have the follwing policies.

Group policy A includes, password policy, audit and user rights policy.

Group policy B includes user desktop policy (for this policy i define users will not b able to see the active directory)

Group policy C defines admins desktop policy. ( this policy will allow admins to view active directory)

I created the policies and applied them on the main OU level that contains four sub OUs. in the following order.

Group Policy 3
Group Policy 2
Group Policy 1

However, when i test it out. Authenticated users are still not restricted by the password policy and non-admins users are still able to view the AD.

Am i wrong in using the following method? Can someone kindly guide and advise if I am right or wrong? And how I should implement the policies?

Thanks.
0
Comment
Question by:JYMarc
8 Comments
 
LVL 11

Assisted Solution

by:infotrader
infotrader earned 100 total points
ID: 10751077
Password policy would only work at the domain level....  See the link below for further explaination:

http://www.softstack.com/security/password-policies.html
0
 
LVL 40

Assisted Solution

by:Fatal_Exception
Fatal_Exception earned 100 total points
ID: 10752622
First, you should be using the new GPMC for analysis..  Within this is the RSOP (Resultant Set of Policy) which will help in discovering what GPO is being applied...

Enterprise Management with the Group Policy Management Console

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/rspintro.asp

info is correct too..  Passwork policies are configured only at the Domain Level...

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10752645
hmm how did that k get in there..? :)   >>password<<
0
 
LVL 2

Accepted Solution

by:
steve_newby earned 100 total points
ID: 10773751
I always take authenticated users out of Group Policy security permissions.  Instead I would create security groups for each policy, add these groups to the policy with "apply policy" right, and add the users to that group who I want the policy to affect, it allows much greater control of who receives the policy.
It is alos best practice to set "deny" for Domain Admins and Enterprise Admins on each policy...do you really want policies applying when you log onto a server???

Steve
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:JYMarc
ID: 10820716
Thanks experts ;)

Well i decided to split the points firstly,

1) Thanks to infotrader for informing me that password policy can be set at domain level only. This is important while deciding which policie to apply at which level.

2) Seondly, Fatal_Exception recommended using the new Group Policy Management Console for analysis. I find it useful. Thanks.

3) last but not least, steve_newby's suggestion is good in the sense that i have greater control in deciding which policy affects which group of users.

but regarding ur question, i do not uite udnerstand, i take its i want the policies to be applied when users log on to a domain.

Regards,
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10822457
Thanks...

FE
0
 
LVL 2

Expert Comment

by:steve_newby
ID: 10822595
Hi JYMarc,

Thanks for the points.  But regarding my question, it was more of a rhetorical statement, I simply meant that when an account with admin rights logs on to a server you don't want things like desktop lockdown to apply.
Hope that makes sense.
Regards,

Steve
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10822661
I thought that was what you meant by that, but wanted you to answer, just to make sure..  :)

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now