Click here to get back home

Group Policy????
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Group Policy???? udi via WinServerKB.com 06-26-2005
Posted by udi via WinServerKB.com on June 26, 2005, 11:39 am
Please log in for more thread options
 I have 1 Windows 2003 Ent. Server (Domain) and 60 Windowxp professional
client.
I want to implement Group Policy in our Domain Environment.
Also I want to implement Local Policy on Every Client Machine.

I want to apply following restriction in our Domain.
1) Nobody's Logon to Local Machine
2) Restrict all the Local System Resource except Owner of machine.
3) Nobodys access local machine from network
4) Restrict Operating System Drive on every client machine.

Group Policy Object.
1) Restrict Software installaltion for user
2) Restrict some network sources.

Can anybodys help me on this, also suggest any other activities restrict
through Group Policy as well as Local Machine Group Policy.

Please guide me step by step..I so can easily implement in our domain
environment.

Regards
Udi


--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200506/1


Posted by Steven L Umbach on June 26, 2005, 10:34 am
Please log in for more thread options
 As Svyatoslav suggested you are much better of using Domain or
Organizational Unit level Group Policy than local Group Policy for domain
computers for ease of management and consistent application. Here are some
pointers to get you started.

Read the Windows 2003 Deployment Kit link below on Designing a Managed
Environment and the other general link to Group Policy. Download and use the
Group Policy Management Console to implement, troubleshoot, and manage Group
Policy.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/3ddb5bec-a454-4e9b-a6e7-397ee7c4ea3a.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/featured/gp/default.mspx

I will briefly suggest what to consider at for each point.

1. Modify the user rights for logon locally and deny logon locally. Keep in
mind than deny override allow and that administrators are also members of
everyone and users groups. This can be done via Group Policy - computer
configuration/Windows settings/local policies/user rights.

2. Not sure exactly what you want to do here but it sounds like that you
want to manage membership of the local administrators group to be just
"owner" of the computer possibly though it is best to not make a regular
user a local administrator unless their is a compelling business reason to
do such. Group Policy Restricted Groups may help here.

3. Either disable the server service though that will prevent you from
using Computer Management to remotely manage the computers or modify the
user rights for access this computer from the network or deny access this
computer from the network to manage who can access the computer from the
network. Access to Remote Desktop can be managed by modifying membership of
the Remote Desktop users group and/or the user right for allow/deny logon
through Terminal Services. Ipsec can also be used to manage network access
at the computer level though it is a fairly complex topic and ipsec policies
must be tested out before implementing in the domain. A strong domain
password policy is also a must to protect network resources and high value
computers need to be physically secured. Ipsec, services, user rights,
Remote Desktop can all be managed via Group Policy.

4. You can manage ntfs permissions to restrict user access to
folders/files. By default users will have full control to their user profile
and write access to some parts of the all users profile such as shared
folders. Be sure to test changes before implementing so that the user has a
functional computer and can logon. I don't recommend making changes of ntfs
permission to the \windows folder and subfolders. Ntfs permissions can be
applied via Group Policy/security policy - file system or via logon/startup
Group Policy scripts. I recommend using file system group policy ONLY at the
OU level and to remove it when computer ntfs permissions have been updated.
This needs to be thoroughly tested on a test OU with test computers first.

1B. Use Software Restriction Policies to manage what applications a user
can install and run on their computer. You can use hash, certificate, and
path rules and a default unrestricted or disallowed security level. Keep in
mind that desktop shortcuts are considered an executable file. The link
below explains much more.

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

2B. Network resources can be restricted by the use of the built in Windows
Firewall where you can configure the scope of an exception to allow only
desired traffic by IP address or subnet or you can use ipsec policies to
manage network access. Keep in mind that anything that filters access by IP
address alone could be accessed if a user is able to configure their
computer with an IP address in the allowed range. The first link below is
about ipsec and I also suggest you read the Windows 2003 and XP Pro security
guides which have specific information on security policy which is a subset
of Group Policy - computer configuration. --- Steve

http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx
http://www.microsoft.com/technet/security/default.mspx -- TechNet Security
center. View the pertinent operating system for security guides, etc.


>I have 1 Windows 2003 Ent. Server (Domain) and 60 Windowxp professional
> client.
> I want to implement Group Policy in our Domain Environment.
> Also I want to implement Local Policy on Every Client Machine.
>
> I want to apply following restriction in our Domain.
> 1) Nobody's Logon to Local Machine
> 2) Restrict all the Local System Resource except Owner of machine.
> 3) Nobodys access local machine from network
> 4) Restrict Operating System Drive on every client machine.
>
> Group Policy Object.
> 1) Restrict Software installaltion for user
> 2) Restrict some network sources.
>
> Can anybodys help me on this, also suggest any other activities restrict
> through Group Policy as well as Local Machine Group Policy.
>
> Please guide me step by step..I so can easily implement in our domain
> environment.
>
> Regards
> Udi
>
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200506/1




Posted by S. Pidgorny on June 26, 2005, 10:51 pm
Please log in for more thread options
Udi,

Use domain/OU policies - they override local policies, so you have less to
manage.
I'd suggest to post to microsoft.public.windows.group_policy newsgroup - you
can access the groups directly using Outlook Express News account on
msnews.microsoft.com, or via Microsoft Web interface at
http://support.microsoft.com/newsgroups/, avoiding unecessary intermedate
points and ads

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

> I have 1 Windows 2003 Ent. Server (Domain) and 60 Windowxp professional
> client.
> I want to implement Group Policy in our Domain Environment.
> Also I want to implement Local Policy on Every Client Machine.
>
> I want to apply following restriction in our Domain.
> 1) Nobody's Logon to Local Machine
> 2) Restrict all the Local System Resource except Owner of machine.
> 3) Nobodys access local machine from network
> 4) Restrict Operating System Drive on every client machine.
>
> Group Policy Object.
> 1) Restrict Software installaltion for user
> 2) Restrict some network sources.
>
> Can anybodys help me on this, also suggest any other activities restrict
> through Group Policy as well as Local Machine Group Policy.
>
> Please guide me step by step..I so can easily implement in our domain
> environment.
>
> Regards
> Udi
>
>
> --
> Message posted via WinServerKB.com
>
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200506/1




Posted by Roger Abell on June 27, 2005, 7:48 am
Please log in for more thread options
You have some great info already in Slav's and Steve's posts.

You need to read up some as Steve suggested before taking this
to the GP newsgroup so that you can state your requirements more
precisely when you do.

While you can do everything (and more) with group policy from AD
that you can do with local security policy, there are some limitations.
The main one that seems to show up in your requirements is that you
want to make some settings unique to each machine, like only the
"Owner" (whatever that is) of each machine may use that machine.
Group policy is not good at setting things in this way to one machine,
that way to a different machine, and yet another way for a third.
Here, every machine would need to have a different setting for the
Log on locally policy - which implies that you would need to define
a different GPO for each machine to deliver this machine unique
settings. While this can be done, and this might not be so bad in a
small environment, it is not tenable in a larger one. There are third
party extensions for group policy that are of use when such "fine
tuning" is needed.

--
Roger Abell
Microsoft MVP (Windows Security)

> I have 1 Windows 2003 Ent. Server (Domain) and 60 Windowxp professional
> client.
> I want to implement Group Policy in our Domain Environment.
> Also I want to implement Local Policy on Every Client Machine.
>
> I want to apply following restriction in our Domain.
> 1) Nobody's Logon to Local Machine
> 2) Restrict all the Local System Resource except Owner of machine.
> 3) Nobodys access local machine from network
> 4) Restrict Operating System Drive on every client machine.
>
> Group Policy Object.
> 1) Restrict Software installaltion for user
> 2) Restrict some network sources.
>
> Can anybodys help me on this, also suggest any other activities restrict
> through Group Policy as well as Local Machine Group Policy.
>
> Please guide me step by step..I so can easily implement in our domain
> environment.
>
> Regards
> Udi
>
>
> --
> Message posted via WinServerKB.com
>
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200506/1




Similar ThreadsPosted
Group Policy April 25, 2006, 11:58 pm
Group Policy May 7, 2007, 3:57 pm
Set MaximumDynamicBacklog via Group Policy? October 26, 2005, 11:12 am
IAS server and group policy November 2, 2005, 11:04 am
A question on Group Policy November 17, 2005, 9:26 am
Group Policy Restrict All Drives February 23, 2006, 10:31 am
Group Policy without Active Directory February 27, 2007, 3:31 pm
Group Policy - Power Management September 2, 2008, 6:13 pm
Help! Group policy not applying to computer in OU September 30, 2008, 2:15 pm
Group Policy Options for Signing and Encryption November 30, 2005, 2:28 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap