Windows Server 2003 Group Policy - Security Settings, Restricted Groups and File System

Posted on 2009-05-16
Medium Priority
Last Modified: 2012-06-21
OK, couple issues but both related to group policy. First let me start by saying I FINALLY did what should have been done a long time ago and tightened up security at the workstations. I am ashamed to admit it, but all users were local admins.

Anyway, I have an application that dynamically updates a file that the developer put in of all places the WINDOWS folder (%SYSTEMROOT%). I want to allow users to be able to have write privileges - otherwise obviously this app will not work and unfortunately it's a critical app.

Second, I want a very small subset of people to have admin (power users preferrably) right to all of my workstations to assist with software installs.

So here is the problem - I used a GPO to apply the %SYSTEMROOT% write access to users via FILE SYSTEM part of the policy (I just chose Domian Users - not sure if that's a good choice but it was all inclusive). I also created a security group and added the few "privileged users" to it and then used the RESTRICTED GROUPS policy setting to let this new group and DOMAIN ADMINS have rights to the LOCAL ADMINS group on my workstations.

The problem I have is that these security settings (like password settings) can only be applied through the default domain policy. This policy, of course, applies to every computer in the domain - servers too - and I obviously don't want all users to have write access to the SYTEMROOT directory on my servers, nor do I want the 5 people in that group to be admins on my servers!!!

Is there a better way to do this in an "automated" manner or am I just SOL and will have to visit each workstation. We're only talking 40 computers, but I'm still waiting for all these Microsoft classes to pay off here!!!! Any help would be appreciated.
Question by:djerryanderson

Expert Comment

ID: 24405427
I think that best way to select subset of computers to apply GPO on them will be GPO filtering.

You have two options here:
- permissions way
- WMI filtering way

Permissions way - you can remove all not required groups from accessing GPO and allow Read and Apply Group policy permissions only to security group which you will create and add all all computers which have to get particular GPO applied.
WMI filtering way - you can define WMI filter which will select particular parameter from computer and based on that will decide if particular GPO will be applied or not. This parameter might be computer name, service pack level, amount of memory, etc... (all parameters you can have from WMI).
If you need more details check this locations:
Hope that helps a bit.
LVL 85

Expert Comment

ID: 24406033
Neither the "Restricted Groups" nor the "File System" have to be applied through the Default Domain Policy.
Microsoft explicitly says to NOT actively use the Default Domain Policy, and use dedicated GPOs instead.
In fact, not even the Domain Password Policy in a W2k3 AD has to be configured in the DDP; it just has to be configured in a GPO linked to the domain root, and apply to the DCs.
That said: create an OU "Workstations" or whatever (the default "Computers" you see in AD is a container, not an OU, and GPOs can only be linked to OUs), and move the workstations into this OU.
Create a GPO linked this OU in which you configure the restricted groups and the file system. Try if it's enough to give users Change permissions on this file itself, and not on %Systemroot%. If that doesn't work, check if there's a replacement for that application, or if you can get the developers of that thing to move their application file out of a system folder, where it has nothing lost at all.
If you have to give them write access to the full %Systemroot% folder, at least create a separate domain local group, give permissions to this group, add a dedicated global application group to which you add all users of this application.

Author Comment

ID: 24407728
oDbA - I have tried what you said. That's the way I did it to begin with. Workstations are in a separate OU. I created a GPO with the appropriate settings and linked it to that OU. It didn't work. If I am not mistaken, the only way any settings actually apply that are part of the COMPUTER CONFIGURATION\SECURITY SETTINGS\WINDOWS SETTINGS is if it's part of the DDP (or possibly another GPO applied at the domain level. Again, I did that excat arrangemetn - and the policy was completely ignored. At first I thought it was perhaps a firewall issue that may have been blocking GPO application. I ran the RSOP like 10 times and all other policies were applying (they had settings not in above location). It then dawned on me that password policies are part of that same subset and I took a chance and moved the settings to the DDP and it worked.

gf3l3k - If these settings can only be applied via the DDP, then WMI filtering or altering premissions would not be a good idea either. Then my DDP would not apply the "filtered" computers.

I guess what I am asking is - "is there any other way around this"? Maybe I am incorrect about the DDP thing, but these settings sure won't apply using a new GPO linked directly to the OU where the PCs are located.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Expert Comment

ID: 24407821
djerryanderson - how do you know the policies are being ignored?  Have you run gpresult on the workstations that the policies are supposed to be applied to to see if the policy is in fact getting down to the workstation or not?  Let me know the result of the gpresult.  Also, is the authenticated users group have read permissions for the GPO(s) you are creating?
LVL 85

Accepted Solution

oBdA earned 2000 total points
ID: 24408055
You definitely are incorrect about this. I've configured I don't know how many settings in computer configuration and applied them to machines in different OUs.
Create a completely new OU under the domain root, apply a computer configuration policy to it, move a test machine into that OU, run "gpupdate /target:computer /force" on that machine, and the policy *will* apply.
If the workstations are already in a different OU, you might want to check if maybe inheritance is blocked for that OU, and whether the DDP is enforced.
But I promise you that you can apply computer configuration settings to machines in an OU.

Author Comment

ID: 24441975
oBdA - well, I guess it just took a while to shake things loose. I SWEAR that I tried the GPO applied at the downlevel OU and it was not working. I used gpupdate, and gpupdate /force as well. I then check it a couple days later and the GPO is applying just fine. I somtimes think that my netowrk is possed and this is just designed to make my blood pressure go higher...

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question