Re: My (numerous) Windows Group Policy Issues
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 22 Aug 2005 08:17:08 -0500
I don't have an answer for your issue about the extra settings for SCE
offhand.
It sounds maybe like you applied the dc security template to your computer?
For whatever reason this template and others that came with Windows 2003
have bad settings for system services! This still has not been fixed in SP1
and is not widely know to say the least. I bet if you open your services
with services.msc you will see critical services for a domain controller
such as the server service disabled. I don't know of a way to fix it unless
you can get someone with a Windows 2003 server to try to export their
service settings for you in a security template. Your other option is to use
your Windows 2003 Server Security Guide to set the services for a domain
controller to default levels. It should have that option. At minimum make
sure these services are set to automatic and enabled that the security
template may have disabled - RPC, dns client, distributed file system,
tcp/ip netbios helper, server, computer browser, event log, ipsec services,
netlogon, plug and play, protected storage, remote registry, security
accounts manager, windows time, and workstation. Keep in mind that you can
not start a service until the services it depends on are started. Once the
event log service is started you should be able to find helpful information
in the logs via Event Viewer if problems continue.
Having said the good news is that you have learned a valuable lesson - don't
mess around with security templates without a backup plan. Can you imagine
if this was a production domain!
First off Windows 2003 allows you to use secedit to create a "rollback"
security template that must be configured before you apply a security
template. Second be sure to ALWAYS use the mmc snapin for security templates
to examine any security template settings that you are considering to make
sure they are what you want. Thirdly use Group Policy at the OU level to
apply security templates to domain computers where possible. The advantage
here is that you can disable the GP that you imported the template into if
things go bad to restore things to the way they were hopefully. Lastly use
a test domain whenever possible such as you are doing.
I don't believe your problem is SP1 itself and that the user rights have not
changed any if I remember correctly. The Windows 2003 Security Guide is
still the best source of information that I know of for security settings
such as security options and user rights. There have been some new Group
Policy settings such as for Windows Firewall, RPC, and IE and I know they
are well covered in the Windows XP Security Guide which includes info on SP2
Group Policy. The link below has a lot of good information on W2003
1. --- Steve
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/default.mspx
"Ralish" <Ralish@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:19A4F8EE-F688-4E25-8D12-B0F0D512A3AC@xxxxxxxxxxxxxxxx
> Hey there,
>
> The background:
> I am a school student who has a passion for information technology :)
> So recently I have been educating myself with an evaluation copy of
> Windows
> Server 2003 set up in a new test domain. Over the past few weeks I have
> been
> experimenting with the Group Policy functionality of Windows Server 2003.
> As
> a good starting point I have been reading the Windows Server 2003 Security
> Guide (v1.3) located at:
> http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
> This is where my issues with Windows Group Policy begin:
>
> 1. Having added the extra recommended MSS Settings, located in the
> companion
> Threats and Countermeasures Guide (v1.2) located at:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-9346-F93A4081EEA8&displaylang=en
> to the Security Configuration Editor for application through Group Policy
> I
> have wanted to remove some of these settings from the SCE. The procedure
> is
> not described in either of the guides, and I can only find mention of the
> procedure in this KB article:
> http://support.microsoft.com/default.aspx?scid=214752 (scroll to the
> bottom).
> However, the procedure is not designed for Windows 2003, and I can not get
> it to work. Does anyone know how to successfully remove custom entries
> from
> the SCE in Windows 2003, can Microsoft update this article to make it
> applicable to their newest server OS?
>
> 2. I decided to apply the High Security settings described in the guide
> having always taken an interest in security. Although the settings are
> warned
> to have a possible effect on application compatibility, it was not implied
> that the settings would break key Windows functionality. After applying
> the
> security settings to Group Policy and restarting, numerous fundamental
> Windows Services would fail to start (COM+ Event System is frozen in
> starting
> mode, Cert Services, IIS Admin, etc... all fail to start, along with
> various
> RPC Server issues). Perhaps this guide has not been updated to reflect
> Service Pack 1 changes? Either way, I can not amend the Group Policy as
> the
> File Replication Service now refuses to start and the Sysvol share is not
> available. Is it possible to reset the User Rights Assignment settings
> back
> to factory default without the use of Group Policy or the Sysvol share?
>
> Finally, are there any good resources anyone can recommend that discuss in
> detail the user rights assignments settings that take into account Windows
> 2003 SP1?
>
> Thanks in advance for any and all help,
> Ralish
.
- References:
- My (numerous) Windows Group Policy Issues
- From: Ralish
- My (numerous) Windows Group Policy Issues
- Prev by Date: Re: Domain users unable to change password
- Next by Date: Re: Software Restrictions
- Previous by thread: My (numerous) Windows Group Policy Issues
- Next by thread: _ How to prevent multiple logon by one account
- Index(es):
Relevant Pages
|
