Solved

Windows Server 2003 Group Policy - Security Settings, Restricted Groups and File System

Posted on 2009-05-16
6
906 Views
Last Modified: 2012-06-21
OK, couple issues but both related to group policy. First let me start by saying I FINALLY did what should have been done a long time ago and tightened up security at the workstations. I am ashamed to admit it, but all users were local admins.

Anyway, I have an application that dynamically updates a file that the developer put in of all places the WINDOWS folder (%SYSTEMROOT%). I want to allow users to be able to have write privileges - otherwise obviously this app will not work and unfortunately it's a critical app.

Second, I want a very small subset of people to have admin (power users preferrably) right to all of my workstations to assist with software installs.

So here is the problem - I used a GPO to apply the %SYSTEMROOT% write access to users via FILE SYSTEM part of the policy (I just chose Domian Users - not sure if that's a good choice but it was all inclusive). I also created a security group and added the few "privileged users" to it and then used the RESTRICTED GROUPS policy setting to let this new group and DOMAIN ADMINS have rights to the LOCAL ADMINS group on my workstations.

The problem I have is that these security settings (like password settings) can only be applied through the default domain policy. This policy, of course, applies to every computer in the domain - servers too - and I obviously don't want all users to have write access to the SYTEMROOT directory on my servers, nor do I want the 5 people in that group to be admins on my servers!!!

Is there a better way to do this in an "automated" manner or am I just SOL and will have to visit each workstation. We're only talking 40 computers, but I'm still waiting for all these Microsoft classes to pay off here!!!! Any help would be appreciated.
0
Comment
Question by:djerryanderson
6 Comments
 
LVL 5

Expert Comment

by:qf3l3k
ID: 24405427
I think that best way to select subset of computers to apply GPO on them will be GPO filtering.

You have two options here:
- permissions way
- WMI filtering way

Permissions way - you can remove all not required groups from accessing GPO and allow Read and Apply Group policy permissions only to security group which you will create and add all all computers which have to get particular GPO applied.
 
WMI filtering way - you can define WMI filter which will select particular parameter from computer and based on that will decide if particular GPO will be applied or not. This parameter might be computer name, service pack level, amount of memory, etc... (all parameters you can have from WMI).
 
If you need more details check this locations:
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
http://technet.microsoft.com/en-us/library/cc779036(WS.10).aspx
 
Hope that helps a bit.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24406033
Neither the "Restricted Groups" nor the "File System" have to be applied through the Default Domain Policy.
Microsoft explicitly says to NOT actively use the Default Domain Policy, and use dedicated GPOs instead.
In fact, not even the Domain Password Policy in a W2k3 AD has to be configured in the DDP; it just has to be configured in a GPO linked to the domain root, and apply to the DCs.
That said: create an OU "Workstations" or whatever (the default "Computers" you see in AD is a container, not an OU, and GPOs can only be linked to OUs), and move the workstations into this OU.
Create a GPO linked this OU in which you configure the restricted groups and the file system. Try if it's enough to give users Change permissions on this file itself, and not on %Systemroot%. If that doesn't work, check if there's a replacement for that application, or if you can get the developers of that thing to move their application file out of a system folder, where it has nothing lost at all.
If you have to give them write access to the full %Systemroot% folder, at least create a separate domain local group, give permissions to this group, add a dedicated global application group to which you add all users of this application.
0
 
LVL 1

Author Comment

by:djerryanderson
ID: 24407728
oDbA - I have tried what you said. That's the way I did it to begin with. Workstations are in a separate OU. I created a GPO with the appropriate settings and linked it to that OU. It didn't work. If I am not mistaken, the only way any settings actually apply that are part of the COMPUTER CONFIGURATION\SECURITY SETTINGS\WINDOWS SETTINGS is if it's part of the DDP (or possibly another GPO applied at the domain level. Again, I did that excat arrangemetn - and the policy was completely ignored. At first I thought it was perhaps a firewall issue that may have been blocking GPO application. I ran the RSOP like 10 times and all other policies were applying (they had settings not in above location). It then dawned on me that password policies are part of that same subset and I took a chance and moved the settings to the DDP and it worked.

gf3l3k - If these settings can only be applied via the DDP, then WMI filtering or altering premissions would not be a good idea either. Then my DDP would not apply the "filtered" computers.

I guess what I am asking is - "is there any other way around this"? Maybe I am incorrect about the DDP thing, but these settings sure won't apply using a new GPO linked directly to the OU where the PCs are located.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 1

Expert Comment

by:mcannet
ID: 24407821
djerryanderson - how do you know the policies are being ignored?  Have you run gpresult on the workstations that the policies are supposed to be applied to to see if the policy is in fact getting down to the workstation or not?  Let me know the result of the gpresult.  Also, is the authenticated users group have read permissions for the GPO(s) you are creating?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 24408055
You definitely are incorrect about this. I've configured I don't know how many settings in computer configuration and applied them to machines in different OUs.
Create a completely new OU under the domain root, apply a computer configuration policy to it, move a test machine into that OU, run "gpupdate /target:computer /force" on that machine, and the policy *will* apply.
If the workstations are already in a different OU, you might want to check if maybe inheritance is blocked for that OU, and whether the DDP is enforced.
But I promise you that you can apply computer configuration settings to machines in an OU.
0
 
LVL 1

Author Comment

by:djerryanderson
ID: 24441975
oBdA - well, I guess it just took a while to shake things loose. I SWEAR that I tried the GPO applied at the downlevel OU and it was not working. I used gpupdate, and gpupdate /force as well. I then check it a couple days later and the GPO is applying just fine. I somtimes think that my netowrk is possed and this is just designed to make my blood pressure go higher...
0

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Should I disable IPv6 if using Windows Server 2003 and 2008 DNS servers 7 69
Problem with Active Directory 16 103
Server Login Issue 4 50
Group Policy & Netlogin Services 5 42
Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now