[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Deploying a security template and GPOs

Posted on 2006-06-01
11
Medium Priority
?
423 Views
Last Modified: 2013-12-04
i'm locking down Winxp, and ive created a security template. i also created GPOs. id like to know how to export these and deploy them on other machines.

this is what i have:

In my MMC i have 2 snap-ins added:

- Security config and analysis
- Local Computer Policy

after i set these i'm not sure how to export this and re-deploy it on other machines.

ALSO if there is a way of applying these settings w/o affecting the local ADMINISTRATOR account. OR if there is a way i can apply a reverse of the template and changes JUST on the admin account.
0
Comment
Question by:lgropper
  • 5
  • 3
9 Comments
 
LVL 13

Accepted Solution

by:
Kini pradeep earned 1000 total points
ID: 16808850
http://support.microsoft.com/kb/323639
this article also discusses loading custom templates.
0
 
LVL 12

Assisted Solution

by:gidds99
gidds99 earned 1000 total points
ID: 16809232
To prevent a policy applying to the adminsitator account I normally use NTFS permissions to Deny the administator access to the directory

%windir%/system32/group policy

this prevents the policy applying to the administator account.

I find it helpful to create a second admin account when doing this as you need an admin account that can read the directory to allow you to edit your policy. (this is only necessary on the 1st machine).

To deploy it to multiple machines you can copy the folder %windir%/system32/group policy and overwrite the existing directory on the target machine.  Or you can import the policy as described above.

If you are deploying this to many machines which are members of a domain (you have a windows server) you might consider deploying this at the domain level as this allows you to deploy the policy to many machines automatically.

Hope this helps.
0
 
LVL 12

Expert Comment

by:gidds99
ID: 16809238
Also, the link provided by kprad does not advise how to prevent policies applying to the administrator account.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:lgropper
ID: 16810098
can you provide mewith the link?
0
 

Author Comment

by:lgropper
ID: 16810392
to add to the previous reply: these computers are not on a domain. so i will be deploying all this remotly.
0
 
LVL 12

Expert Comment

by:gidds99
ID: 16810485
The link I refered to is the one above.

If you mean a link to what I have decribed then here is the only one I can find:

http://www.jsifaq.com/SUBE/Tip2400/rh2492.htm

It is not very detailed but it is fairly straightforward.

1 - Create a second admin account so you can still access the policy editor after denying access to administrator in step 2

2 - Deny read access to administrator for folder c:\windows\system32\group policy\ (or for the .pol file indicated in the link).

To deploy this on more machines you have to export and import the policy as described above in link described by kprad or you can copy folder c:\windows\system32\group policy\  from the original machine and overwrite/replace the same folder on each target machine.
0
 
LVL 12

Expert Comment

by:gidds99
ID: 16810511
It can be difficult to do this remotely (unless you have RDP access) as Windows was not designed to be deploy policies remotely outwith an Active Directory configuration.
0
 

Author Comment

by:lgropper
ID: 16818680
alright, but after you deny ADMINISTRATOR read rights and create another admin account to make the changes. can you delete the second account and give the administrator access to change therights?


also i read somewhere(unfortunatly i didnt save a copy) that you can Set all the settings in GPEDIT make a copy of the REGISTRY.POL file. log off as admin and log in as the user so the policy takes effect. log back in go into GPEDIT as admin and remove all the settings, then copy the registry.pol over and the admin account wouldnt be affected.

i cant remember the exact steps but i know this worked when i was playing with it a month ago, and now im not sure how/what order to do this in to make it work.

(i hope this makes sense)
0
 
LVL 12

Expert Comment

by:gidds99
ID: 16819910
Yes you can delete the second admin account.

I am unclear about the registry.pol method.  The NTFS method I described is the only one I have used.  As far as I was aware this was the only method to prevent a local policy applying to all local accounts.

Hope this helps.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month20 days, 12 hours left to enroll

865 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question