Re: Security Desciptors

From: "Richard Sweetnam" <rsweetnam@xxxxxxxxxxxx>
Date: Mon, 8 Aug 2005 00:11:58 +0200

The GPO Security Client Side (SecCli) processing engine will take care of
any discrepencies between the GPO's, only appling the security and registry
settings that are used by the client machine. Creating your GPO's creation
is generally done via tools like the Group Policy Managment Console or
Security Configuration and Analysis Console, which are standard across the
windows platforms.
For more information on this see
Core Group Policy Technical Reference
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/824b4758-9430-4633-8d8f-3dad0f2bf839.mspx

There were some caveats around templates edited in XP not running on 2000,
however there is now a hotfix for this.
http://support.microsoft.com/default.aspx?scid=kb;en-us;837166

Hope this helps,
Ricahrd

"Drew" <Drew@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:245F840D-F125-413F-AF19-54E29E6442EC@xxxxxxxxxxxxxxxx
> Is it possible to screw these up using Group Policy. For instance if I
> created a GPO using a 2003 server and applied it to XP clients, is there a
> possiblitly here to czause problems?
>
> Also if I created a GPO on an XP workstation and applied it to 2003
> servers,
> is there a possiblitly of problems during this senerio?
>
> I'm not entirely sure what role Security Descriptors play in Group Policy.
> Perhalps someone can shed some light on the connection between the two or
> point me to a informative article.
>
> Thanks
>

.

References:
- Security Desciptors
  - From: Drew

Prev by Date: Re: Restricting login to only one domain
Next by Date: Re: How can I upgrade to xp via group policy?
Previous by thread: Security Desciptors
Next by thread: Add/Update Network Place
Index(es):
- Date
- Thread

Relevant Pages

Re: Giving admin rights to a subset of computers
... so does this point to a gpo problem. ... The user is a member of the following security groups: ... Group Policy was applied from: ... >> member of the 'Administrators' group. ...
(microsoft.public.win2000.security)
Re: Group Policy
... I have a feeling that is where my issue is coming from with the administrators desktops being affected by my group policy. ... Check that the IE version is supported, shown in the settings ... Please post the path to the GPO setting. ... gpupdate /force on the client machine to update the settings. ...
(microsoft.public.windows.server.setup)
Re: restrictions in effect
... I wonder if some security software installed on that client PC is causing your inability to change the home page. ... You could control the home page with a group policy, but it seems like that would be applying elsewhere besides this one PC. ... Then for the printing thing, I think I'd start by going to the IE Internet Options, Advanced tab, and click "Restore advanced settings." ...
(microsoft.public.windows.server.sbs)
Re: Group Policy
... Group policy refresh is done automatically between 90-120 minutes. ... If you like to changes immediately you have to make sure changes are replicated between all DCs and then run gpupdate /force on the client machine to update the settings. ... The client must be located in the OU where the GPO is linked to. ...
(microsoft.public.windows.server.setup)
Re: what is reset account?
... In general this applies to users who are admins or power users but if someone ever got access to control the settings for a service or the ability to modify the info for a service then it is possible to escalate to the proper security context. ... One of those occasions happened to me when I applied the GPO team's updates to the production domain and the ACL got wiped in the process thereby clearing the Group requirement which protected the GPO and thousands of workstations and servers around the world locked down to kiosk mode. ... I used that once as a stepping stone when doing a security check for a company several years ago and within an hour had escalated myself all the way up to EA and sent an email from the Chief of Security's mail account. ... If the client isn't talking or the person involved has insufficient access at the client or the client is offline the reset will only update the following attributes in AD ...
(microsoft.public.win2000.active_directory)