Windows Server 2003 Group Policy - Security Settings, Restricted Groups and File System
OK, couple issues but both related to group policy. First let me start by saying I FINALLY did what should have been done a long time ago and tightened up security at the workstations. I am ashamed to admit it, but all users were local admins.
Anyway, I have an application that dynamically updates a file that the developer put in of all places the WINDOWS folder (%SYSTEMROOT%). I want to allow users to be able to have write privileges - otherwise obviously this app will not work and unfortunately it's a critical app.
Second, I want a very small subset of people to have admin (power users preferrably) right to all of my workstations to assist with software installs.
So here is the problem - I used a GPO to apply the %SYSTEMROOT% write access to users via FILE SYSTEM part of the policy (I just chose Domian Users - not sure if that's a good choice but it was all inclusive). I also created a security group and added the few "privileged users" to it and then used the RESTRICTED GROUPS policy setting to let this new group and DOMAIN ADMINS have rights to the LOCAL ADMINS group on my workstations.
The problem I have is that these security settings (like password settings) can only be applied through the default domain policy. This policy, of course, applies to every computer in the domain - servers too - and I obviously don't want all users to have write access to the SYTEMROOT directory on my servers, nor do I want the 5 people in that group to be admins on my servers!!!
Is there a better way to do this in an "automated" manner or am I just SOL and will have to visit each workstation. We're only talking 40 computers, but I'm still waiting for all these Microsoft classes to pay off here!!!! Any help would be appreciated.
Anyway, I have an application that dynamically updates a file that the developer put in of all places the WINDOWS folder (%SYSTEMROOT%). I want to allow users to be able to have write privileges - otherwise obviously this app will not work and unfortunately it's a critical app.
Second, I want a very small subset of people to have admin (power users preferrably) right to all of my workstations to assist with software installs.
So here is the problem - I used a GPO to apply the %SYSTEMROOT% write access to users via FILE SYSTEM part of the policy (I just chose Domian Users - not sure if that's a good choice but it was all inclusive). I also created a security group and added the few "privileged users" to it and then used the RESTRICTED GROUPS policy setting to let this new group and DOMAIN ADMINS have rights to the LOCAL ADMINS group on my workstations.
The problem I have is that these security settings (like password settings) can only be applied through the default domain policy. This policy, of course, applies to every computer in the domain - servers too - and I obviously don't want all users to have write access to the SYTEMROOT directory on my servers, nor do I want the 5 people in that group to be admins on my servers!!!
Is there a better way to do this in an "automated" manner or am I just SOL and will have to visit each workstation. We're only talking 40 computers, but I'm still waiting for all these Microsoft classes to pay off here!!!! Any help would be appreciated.
Neither the "Restricted Groups" nor the "File System" have to be applied through the Default Domain Policy.
Microsoft explicitly says to NOT actively use the Default Domain Policy, and use dedicated GPOs instead.
In fact, not even the Domain Password Policy in a W2k3 AD has to be configured in the DDP; it just has to be configured in a GPO linked to the domain root, and apply to the DCs.
That said: create an OU "Workstations" or whatever (the default "Computers" you see in AD is a container, not an OU, and GPOs can only be linked to OUs), and move the workstations into this OU.
Create a GPO linked this OU in which you configure the restricted groups and the file system. Try if it's enough to give users Change permissions on this file itself, and not on %Systemroot%. If that doesn't work, check if there's a replacement for that application, or if you can get the developers of that thing to move their application file out of a system folder, where it has nothing lost at all.
If you have to give them write access to the full %Systemroot% folder, at least create a separate domain local group, give permissions to this group, add a dedicated global application group to which you add all users of this application.
Microsoft explicitly says to NOT actively use the Default Domain Policy, and use dedicated GPOs instead.
In fact, not even the Domain Password Policy in a W2k3 AD has to be configured in the DDP; it just has to be configured in a GPO linked to the domain root, and apply to the DCs.
That said: create an OU "Workstations" or whatever (the default "Computers" you see in AD is a container, not an OU, and GPOs can only be linked to OUs), and move the workstations into this OU.
Create a GPO linked this OU in which you configure the restricted groups and the file system. Try if it's enough to give users Change permissions on this file itself, and not on %Systemroot%. If that doesn't work, check if there's a replacement for that application, or if you can get the developers of that thing to move their application file out of a system folder, where it has nothing lost at all.
If you have to give them write access to the full %Systemroot% folder, at least create a separate domain local group, give permissions to this group, add a dedicated global application group to which you add all users of this application.
ASKER
oDbA - I have tried what you said. That's the way I did it to begin with. Workstations are in a separate OU. I created a GPO with the appropriate settings and linked it to that OU. It didn't work. If I am not mistaken, the only way any settings actually apply that are part of the COMPUTER CONFIGURATION\SECURITY SETTINGS\WINDOWS SETTINGS is if it's part of the DDP (or possibly another GPO applied at the domain level. Again, I did that excat arrangemetn - and the policy was completely ignored. At first I thought it was perhaps a firewall issue that may have been blocking GPO application. I ran the RSOP like 10 times and all other policies were applying (they had settings not in above location). It then dawned on me that password policies are part of that same subset and I took a chance and moved the settings to the DDP and it worked.
gf3l3k - If these settings can only be applied via the DDP, then WMI filtering or altering premissions would not be a good idea either. Then my DDP would not apply the "filtered" computers.
I guess what I am asking is - "is there any other way around this"? Maybe I am incorrect about the DDP thing, but these settings sure won't apply using a new GPO linked directly to the OU where the PCs are located.
gf3l3k - If these settings can only be applied via the DDP, then WMI filtering or altering premissions would not be a good idea either. Then my DDP would not apply the "filtered" computers.
I guess what I am asking is - "is there any other way around this"? Maybe I am incorrect about the DDP thing, but these settings sure won't apply using a new GPO linked directly to the OU where the PCs are located.
djerryanderson - how do you know the policies are being ignored? Have you run gpresult on the workstations that the policies are supposed to be applied to to see if the policy is in fact getting down to the workstation or not? Let me know the result of the gpresult. Also, is the authenticated users group have read permissions for the GPO(s) you are creating?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
oBdA - well, I guess it just took a while to shake things loose. I SWEAR that I tried the GPO applied at the downlevel OU and it was not working. I used gpupdate, and gpupdate /force as well. I then check it a couple days later and the GPO is applying just fine. I somtimes think that my netowrk is possed and this is just designed to make my blood pressure go higher...
You have two options here:
- permissions way
- WMI filtering way
Permissions way - you can remove all not required groups from accessing GPO and allow Read and Apply Group policy permissions only to security group which you will create and add all all computers which have to get particular GPO applied.
WMI filtering way - you can define WMI filter which will select particular parameter from computer and based on that will decide if particular GPO will be applied or not. This parameter might be computer name, service pack level, amount of memory, etc... (all parameters you can have from WMI).
If you need more details check this locations:
http://www.windowsnetworki
http://technet.microsoft.c
Hope that helps a bit.