Solved

Windows Server 2003 Group Policy - Security Settings, Restricted Groups and File System

Posted on 2009-05-16
6
910 Views
Last Modified: 2012-06-21
OK, couple issues but both related to group policy. First let me start by saying I FINALLY did what should have been done a long time ago and tightened up security at the workstations. I am ashamed to admit it, but all users were local admins.

Anyway, I have an application that dynamically updates a file that the developer put in of all places the WINDOWS folder (%SYSTEMROOT%). I want to allow users to be able to have write privileges - otherwise obviously this app will not work and unfortunately it's a critical app.

Second, I want a very small subset of people to have admin (power users preferrably) right to all of my workstations to assist with software installs.

So here is the problem - I used a GPO to apply the %SYSTEMROOT% write access to users via FILE SYSTEM part of the policy (I just chose Domian Users - not sure if that's a good choice but it was all inclusive). I also created a security group and added the few "privileged users" to it and then used the RESTRICTED GROUPS policy setting to let this new group and DOMAIN ADMINS have rights to the LOCAL ADMINS group on my workstations.

The problem I have is that these security settings (like password settings) can only be applied through the default domain policy. This policy, of course, applies to every computer in the domain - servers too - and I obviously don't want all users to have write access to the SYTEMROOT directory on my servers, nor do I want the 5 people in that group to be admins on my servers!!!

Is there a better way to do this in an "automated" manner or am I just SOL and will have to visit each workstation. We're only talking 40 computers, but I'm still waiting for all these Microsoft classes to pay off here!!!! Any help would be appreciated.
0
Comment
Question by:djerryanderson
6 Comments
 
LVL 5

Expert Comment

by:qf3l3k
ID: 24405427
I think that best way to select subset of computers to apply GPO on them will be GPO filtering.

You have two options here:
- permissions way
- WMI filtering way

Permissions way - you can remove all not required groups from accessing GPO and allow Read and Apply Group policy permissions only to security group which you will create and add all all computers which have to get particular GPO applied.
 
WMI filtering way - you can define WMI filter which will select particular parameter from computer and based on that will decide if particular GPO will be applied or not. This parameter might be computer name, service pack level, amount of memory, etc... (all parameters you can have from WMI).
 
If you need more details check this locations:
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
http://technet.microsoft.com/en-us/library/cc779036(WS.10).aspx
 
Hope that helps a bit.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24406033
Neither the "Restricted Groups" nor the "File System" have to be applied through the Default Domain Policy.
Microsoft explicitly says to NOT actively use the Default Domain Policy, and use dedicated GPOs instead.
In fact, not even the Domain Password Policy in a W2k3 AD has to be configured in the DDP; it just has to be configured in a GPO linked to the domain root, and apply to the DCs.
That said: create an OU "Workstations" or whatever (the default "Computers" you see in AD is a container, not an OU, and GPOs can only be linked to OUs), and move the workstations into this OU.
Create a GPO linked this OU in which you configure the restricted groups and the file system. Try if it's enough to give users Change permissions on this file itself, and not on %Systemroot%. If that doesn't work, check if there's a replacement for that application, or if you can get the developers of that thing to move their application file out of a system folder, where it has nothing lost at all.
If you have to give them write access to the full %Systemroot% folder, at least create a separate domain local group, give permissions to this group, add a dedicated global application group to which you add all users of this application.
0
 
LVL 1

Author Comment

by:djerryanderson
ID: 24407728
oDbA - I have tried what you said. That's the way I did it to begin with. Workstations are in a separate OU. I created a GPO with the appropriate settings and linked it to that OU. It didn't work. If I am not mistaken, the only way any settings actually apply that are part of the COMPUTER CONFIGURATION\SECURITY SETTINGS\WINDOWS SETTINGS is if it's part of the DDP (or possibly another GPO applied at the domain level. Again, I did that excat arrangemetn - and the policy was completely ignored. At first I thought it was perhaps a firewall issue that may have been blocking GPO application. I ran the RSOP like 10 times and all other policies were applying (they had settings not in above location). It then dawned on me that password policies are part of that same subset and I took a chance and moved the settings to the DDP and it worked.

gf3l3k - If these settings can only be applied via the DDP, then WMI filtering or altering premissions would not be a good idea either. Then my DDP would not apply the "filtered" computers.

I guess what I am asking is - "is there any other way around this"? Maybe I am incorrect about the DDP thing, but these settings sure won't apply using a new GPO linked directly to the OU where the PCs are located.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Expert Comment

by:mcannet
ID: 24407821
djerryanderson - how do you know the policies are being ignored?  Have you run gpresult on the workstations that the policies are supposed to be applied to to see if the policy is in fact getting down to the workstation or not?  Let me know the result of the gpresult.  Also, is the authenticated users group have read permissions for the GPO(s) you are creating?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 24408055
You definitely are incorrect about this. I've configured I don't know how many settings in computer configuration and applied them to machines in different OUs.
Create a completely new OU under the domain root, apply a computer configuration policy to it, move a test machine into that OU, run "gpupdate /target:computer /force" on that machine, and the policy *will* apply.
If the workstations are already in a different OU, you might want to check if maybe inheritance is blocked for that OU, and whether the DDP is enforced.
But I promise you that you can apply computer configuration settings to machines in an OU.
0
 
LVL 1

Author Comment

by:djerryanderson
ID: 24441975
oBdA - well, I guess it just took a while to shake things loose. I SWEAR that I tried the GPO applied at the downlevel OU and it was not working. I used gpupdate, and gpupdate /force as well. I then check it a couple days later and the GPO is applying just fine. I somtimes think that my netowrk is possed and this is just designed to make my blood pressure go higher...
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question