|
Posted by Tom Baxter on January 21, 2008, 8:50 pm
Please log in for more thread options Thank you for the reply, Roger. I would be lying if I said I understood
everything you said but I understand things *better*, thanks to your
comments. I need to keep reading.
Thank you again.
--
Tom Baxter
> Hi Tom,
>
> some comments within, and no, there is no such tool.
>
> Roger
>
>> Thank your for the reply, Roger. I have more below.
>>
>>
>>> Since one does not assign policies to groups, or at least
>>> there is no standard meaning to that phrase as far as I know
>>> it seems I have to ask what you mean.
>>
>>
>>
>> I'm very new to Server 2003 so please forgive such a newbie question.
>>
>> Roger, you said, "...one does not assign policies to groups...". But if I
>> go into the "Local Security Policy" tool, I can assign several policies
>> to groups. The are many groups that have policies assigned to them (e.g.,
>> "Access this computer from the network", "Allow logon through terminal
>> Services", etc.).
>>
>
> OK, I see what you are meaning, but I think you are sort of
> inventing your own terminology here.
> Some policies are new with the advent of group policy,
> while other policies only reflect what already exisited.
> In an enterprise (ie. domain environment) GPOs can be
> filtered by security group to control the application of
> that collection of policies (but we do not call that assigning
> to the group). The policies you mention are governing user
> rights, which are (pre-exisiting group policy) rights that may
> be granted to principals (users or groups). So for these your
> use of assign is equivalent to the more commen "grant".
> It is just words, but it threw me off.
>
>> The "Local Security Policy" tool shows which policies have been assigned
>> to which users/groups. I don't know if there are additional policies
>> *not* shown by the "Local Security Policy" tool that can be assigned to
>> groups.
>
> OK, but I see that as it showing to which groups certain user
> rights have been granted. There are many configuration settings,
> some of which have been reflected as policies.
> Take you Remote Desktop Users group for example.
> That group comes preconfigured (seems I omitted the p in the
> first posting I made, getting reconfigured) such that it has the
> user right to log on via terminal services, which does surface
> in policy. That group however also has a grant in the config
> of Terminal Services that allows TS login as a user, and that
> is not surfaced as a policy.
>
>>
>> What I was hoping to do is to pick up a group (say, "Remote Desktop
>> Users") and determine *all* policies applied to that group.
>>
>
> Policies are items in group policy (which also may include
> preferences, something that strictly speaking are not policies).
> You are saying policies to mean any control setting, whether
> in group policy or not. There is no such tool to my awareness.
> If you wanted to inventory policies granted to some group then
> one could export a report of a GPO and then parse that in script
> looking for the group. That would not work for local policy,
> and it would also be overkill as most policies do not name groups
> that receive grants (such as does happen with the user right policies)
>
>> Is there such a tool available?
>
> doubtful
>
>>
>>
>>
>>> None-the-less, in general there is no magic "clone this"
>>> button. Some groups have uses reconfigured, such as
>>> Remote Desktop Users does in the Terminal Services
>>> configuration and in user rights, and these are unique
>>> per group that does have these. There is no way to say,
>>> make a group named X that has all of the grants currently
>>> given to Remote Desktop Users group.
>>>
>>> Roger
>>>
>>>> Hi all,
>>>>
>>>> I'm using Server 2003 (learning it, actually).
>>>>
>>>> Is it possible to create a new local User Group based on the policies
>>>> assigned to an existing local group? In my case, I'd like to
>>>> essentially clone the "Remote Desktop Users" group and then add (or
>>>> possibly remove) some policies. The only reason I'm interested in doing
>>>> this is to experiment with groups & policies.
>>>>
>>>> As a related question, how can I find *all* the policies assigned to a
>>>> particular group? For example, in the Local Security Policy tool I can
>>>> see that the "Remote Desktop Users" group has the "Allow log on through
>>>> Terminal Services" policy applied. How can I find *all* the policies
>>>> that apply to the "Remote Desktop Users" group (or any group)?
>>>>
>>>> Thank you very much.
>>>>
>>>> --
>>>> Tom Baxter
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
| 
XML Sitemap