Remember me

Lost Password?

Register now!

Related Sponsor

Author : kyoshiro mibu
Article ID : 46
Audience : Top News
Version 1.02
Published Date: 2005/2/20 5:15:03
Reads : 3068

Click to see original Image in a new window
Windows 2003 Server Security and Policies.

When dealing with Domain Security and Domain Configuration it’s important to keep in mind topics like GPO’s (Group Policy Objects).

So you’ve bought your hardware and loaded Windows 2003 Server. Have you run DCPROMO yet and turned it into a Domain Controller? If so did you set up DNS during the promotion and did you do it before hand? How do you have you users set up?

These questions are key to saving time and improving efficiency. If you’ve run DCPROMO then you’re going to install Active Directory, a hierarchical database dedicated to managing users, groups, trusts, virtually everything to do with that domain. AD will store itself in a folder called SYSVOL in the %systemroot%\windows\ directory so don’t delete it!

The reason I mention DNS so strongly is that it’s tied into AD very densely. Without DNS you have no AD. You botch DNS up and you can’t do the simplest of functions such as Remote Desktop. DNS is also the mistake I see my students make the most. 9 times out of 10 when they can’t get their machines to join a domain it’s because that machine’s DNS isn’t pointing to the Domain Controller or the DNS Server. But. I’ll go more into how DNS works in a later posting.

Let’s switch gears and cover GPO’s. If you have a Windows XP Pro machine you have what are called LGPO’s (Local Group Policy Objects). These will affect only the LOCAL machine. When I se the word “local” I’m trying to say just that single machine. So the policies that you implement on that XP machine won’t impact your neighbor.

To access the LGPO’s on your computer (Windows XP Pro/2000 Pro/2003 Server/2000 Server) just do the following:

Start  Run  GPEDIT.MSC

This will bring up the Group Policy Editor. In here you have two categories, Computer Configuration and User Configuration. If you choose Windows Settings from the Computer Configuration area you can modify Password Policies such as minimum length and maximum age. You can set up Audit Policies which is very useful for finding out who you can and can’t trust with sensitive information. You can specify who can perform what functions, such as shut down the computer, log on as a service, etc.

Next go down to the User Configuration area and open Administrative Templates. In this section you can modify anything about the interface and what users can actually SEE. Remember, if they can’t see it they probably can’t DO it (i.e. screw with it). Using this are you can rig it to where the only item visible on the desktop is a single icon! This is sweet for a call center environment where you have hundreds of users that you don’t want trying anything cute.

The only drawback? The changes you apply will impact EVERYONE that touches the machine. So if you lock it down, even as an administrator, you’re going to be as limited as your users. THUS the benefit of being a part of a Domain. From a Domain Controller I can very easily make a GPO that will override the LGPO of that XP Machine!

Here’s how that works:

LSDO (the mnemonic is LSD-Overdose)

This is actually a little trick for remembering Policy precedence.


Let’s say you have a laptop at home and you’ve used GPEDIT.MSC to set things the way you like them. Well one day you bring that laptop in and join it to your company Domain. All of a sudden all the things you changes are changed! What happened?! Well, when you joined that domain The Group Policies in place overwrote your LGPO Settings.

Let’s say you get your administrator to put your User account and your Computer account into an OU (Organizational Unit) run by your buddy. You can get your buddy to create a GPO on the OU how you like it and THAT will override the Domain GPO! It’s all a matter of understanding how these Policies filter down.

The best thing about these GPO’s is you can use them to deploy Security Templates which I’ll cover in my next post!

My fingers are about to fall of from writing so many articles today! Feel free to email me if you have any questions or think I’m wrong about something.

-Kyoshiro (MCSE)

Printer Friendly Page Send this Article to a Friend
The comments are owned by the author. We aren't responsible for their content.
Author Thread

Related Sponsor

Bookmark and Share