Solved

Windows Server 2003 Group Policy - Security Settings, Restricted Groups and File System

Posted on 2009-05-16
6
904 Views
Last Modified: 2012-06-21
OK, couple issues but both related to group policy. First let me start by saying I FINALLY did what should have been done a long time ago and tightened up security at the workstations. I am ashamed to admit it, but all users were local admins.

Anyway, I have an application that dynamically updates a file that the developer put in of all places the WINDOWS folder (%SYSTEMROOT%). I want to allow users to be able to have write privileges - otherwise obviously this app will not work and unfortunately it's a critical app.

Second, I want a very small subset of people to have admin (power users preferrably) right to all of my workstations to assist with software installs.

So here is the problem - I used a GPO to apply the %SYSTEMROOT% write access to users via FILE SYSTEM part of the policy (I just chose Domian Users - not sure if that's a good choice but it was all inclusive). I also created a security group and added the few "privileged users" to it and then used the RESTRICTED GROUPS policy setting to let this new group and DOMAIN ADMINS have rights to the LOCAL ADMINS group on my workstations.

The problem I have is that these security settings (like password settings) can only be applied through the default domain policy. This policy, of course, applies to every computer in the domain - servers too - and I obviously don't want all users to have write access to the SYTEMROOT directory on my servers, nor do I want the 5 people in that group to be admins on my servers!!!

Is there a better way to do this in an "automated" manner or am I just SOL and will have to visit each workstation. We're only talking 40 computers, but I'm still waiting for all these Microsoft classes to pay off here!!!! Any help would be appreciated.
0
Comment
Question by:djerryanderson
6 Comments
 
LVL 5

Expert Comment

by:qf3l3k
Comment Utility
I think that best way to select subset of computers to apply GPO on them will be GPO filtering.

You have two options here:
- permissions way
- WMI filtering way

Permissions way - you can remove all not required groups from accessing GPO and allow Read and Apply Group policy permissions only to security group which you will create and add all all computers which have to get particular GPO applied.
 
WMI filtering way - you can define WMI filter which will select particular parameter from computer and based on that will decide if particular GPO will be applied or not. This parameter might be computer name, service pack level, amount of memory, etc... (all parameters you can have from WMI).
 
If you need more details check this locations:
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
http://technet.microsoft.com/en-us/library/cc779036(WS.10).aspx
 
Hope that helps a bit.
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
Neither the "Restricted Groups" nor the "File System" have to be applied through the Default Domain Policy.
Microsoft explicitly says to NOT actively use the Default Domain Policy, and use dedicated GPOs instead.
In fact, not even the Domain Password Policy in a W2k3 AD has to be configured in the DDP; it just has to be configured in a GPO linked to the domain root, and apply to the DCs.
That said: create an OU "Workstations" or whatever (the default "Computers" you see in AD is a container, not an OU, and GPOs can only be linked to OUs), and move the workstations into this OU.
Create a GPO linked this OU in which you configure the restricted groups and the file system. Try if it's enough to give users Change permissions on this file itself, and not on %Systemroot%. If that doesn't work, check if there's a replacement for that application, or if you can get the developers of that thing to move their application file out of a system folder, where it has nothing lost at all.
If you have to give them write access to the full %Systemroot% folder, at least create a separate domain local group, give permissions to this group, add a dedicated global application group to which you add all users of this application.
0
 
LVL 1

Author Comment

by:djerryanderson
Comment Utility
oDbA - I have tried what you said. That's the way I did it to begin with. Workstations are in a separate OU. I created a GPO with the appropriate settings and linked it to that OU. It didn't work. If I am not mistaken, the only way any settings actually apply that are part of the COMPUTER CONFIGURATION\SECURITY SETTINGS\WINDOWS SETTINGS is if it's part of the DDP (or possibly another GPO applied at the domain level. Again, I did that excat arrangemetn - and the policy was completely ignored. At first I thought it was perhaps a firewall issue that may have been blocking GPO application. I ran the RSOP like 10 times and all other policies were applying (they had settings not in above location). It then dawned on me that password policies are part of that same subset and I took a chance and moved the settings to the DDP and it worked.

gf3l3k - If these settings can only be applied via the DDP, then WMI filtering or altering premissions would not be a good idea either. Then my DDP would not apply the "filtered" computers.

I guess what I am asking is - "is there any other way around this"? Maybe I am incorrect about the DDP thing, but these settings sure won't apply using a new GPO linked directly to the OU where the PCs are located.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Expert Comment

by:mcannet
Comment Utility
djerryanderson - how do you know the policies are being ignored?  Have you run gpresult on the workstations that the policies are supposed to be applied to to see if the policy is in fact getting down to the workstation or not?  Let me know the result of the gpresult.  Also, is the authenticated users group have read permissions for the GPO(s) you are creating?
0
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
You definitely are incorrect about this. I've configured I don't know how many settings in computer configuration and applied them to machines in different OUs.
Create a completely new OU under the domain root, apply a computer configuration policy to it, move a test machine into that OU, run "gpupdate /target:computer /force" on that machine, and the policy *will* apply.
If the workstations are already in a different OU, you might want to check if maybe inheritance is blocked for that OU, and whether the DDP is enforced.
But I promise you that you can apply computer configuration settings to machines in an OU.
0
 
LVL 1

Author Comment

by:djerryanderson
Comment Utility
oBdA - well, I guess it just took a while to shake things loose. I SWEAR that I tried the GPO applied at the downlevel OU and it was not working. I used gpupdate, and gpupdate /force as well. I then check it a couple days later and the GPO is applying just fine. I somtimes think that my netowrk is possed and this is just designed to make my blood pressure go higher...
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now