|
Posted by Roger Abell [MVP] on December 29, 2005, 9:56 am
Please log in for more thread options Generally, if you first apply the template (apply it, not import it into
a GPO for application) and then do the install, you will find that
many installs will adjust things (user rights, etc.) so that the installed
will work. So, following the install, analyze the existing state against
the template that had been applied. This shows the changes made,
if any, to the templated settings by the install, and this allows you to
adjust the template to what is needed to accommodate the installed.
The adjusted template may then be appropriate for import into a
GPO for continuous enforcement.
When a template uses principals that are not well-knows with SIDs
that are everywhere the same, then yes, templates have a dependency
of the SAM of the SIDs. What I do is use a domain defined group
when possible to avoid the non-transportability of the templates, and
where that is inappropriate I simply edit the template to globally do
a replace of the machine specific SIDs with the counterparts on the
machine to which the template has been transported. (if you manually
alter one of the uses of the old with the new you get the new sid in
the notepad openable inf file)
> How should security templates be layered? For example, I have a member
> server template that is very restrictive. It really locks the server
> down.
> Shouldn't I apply that first to a newly imaged server, then install the
> application? (ie. Exchange 2003) I guess my concern is the User Rights
> Assigments in the template. Is there a way for the accounts to be carried
> to another server. From my experiences, all you get is SID numbers when
> you
> apply the template to another computer.
>
>
> Kevin
>
>
| 
XML Sitemap