Re: Help with Security Filtering
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Sun, 24 Jun 2007 00:42:54 -0500
"mschlank" <mschlank@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:695599A1-2887-4C3C-9C41-28AA1143C449@xxxxxxxxxxxxxxxx
Herb, Thanks.
Can you clarify a few things?
1. What is the difference btn Everyone and Authenticated users?
For something like Applying (filtering) Group Policy nothing important
probably but years ago (circa NT4 SP4 plus or minus an SP or so)
Microsoft realized that Everyone sometimes included UNAUTHENTICATED
users, including hackers who couldn't get authenticated.
So they introducted Authenticated Users and Anonymous as special groups
(should be called dynamic or automatic groups) to separate out these two.
Granting permission to Everyone, could (theoretically) allow people who had
not authenticated to get access.
2. Which Access list am I looking at to see if they are included? Are you
referring to the Properties, Security Tab for the GPO itself.
Yes.
I looked there
a few times, and neither is listed...only the Securty Groups that I found
in
GPMC plus Creator Owner, Domain Admins, Enterprise Admins, Enterprise
Domain
Controllers, System
Those above likely have Full Control (can edit/delete etc the policy.)
Read and Apply_Policy are needed to have it APPLY when linked to the
Computer
or Users OU, Domain, or Site.
3. When you say both READ and APPLY_Policy need to apply, are you
referring
to the same location I just mentioned in #2.
I don't use the GPMC much (for unusual reasons*) but rather purposely avoid
it
for the old interface but I am pretty sure this is the same.
*[ If I install the GPMC, I lose access to the old interface -- as it is a
replacement
rather than a supplement.]
4. Is there a way to see the ACL in the GPO that they are being applied to
the computers, besides just noticing the changes live.
The Security Properties for the GPO is what we are talking about.
5. When you make a setting change in Group Policy, how long is reasonable
amount of time to wait for propogation to occur for user vs computer
setting
changes.
Two answers (and they both count):
1) First replication must occur to all DCs before the entire domain will
be
affected
2) Clients must either Refresh the Policy or Reboot/Re-Logon for it to
affect a specific computer or user.*
* Some policies are applied at refresh and some can only be applied at next
logon/startup
The defaults are about 90 minutes for ordinary computers (but it is plus or
minus 30 minutes to prevent every computer from refreshing at the same
moment)
and about 5 minutes for DCs.
YES. This is extremely frustrating. Not sure whey they didn't just use OU.
I
hate to have to redo all their work now. When I spoke to them, I get the
run-around.
They likely are incompetent then.
GPOs are not HARD but they do take a basic understanding to get right
easily and if one (or they) has that basic understanding then they are VERY
EASY to explain and design.
Call me if you wish -- I will try to help.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- Follow-Ups:
- Re: Help with Security Filtering
- From: mschlank
- Re: Help with Security Filtering
- References:
- Re: Help with Security Filtering
- From: Herb Martin
- Re: Help with Security Filtering
- From: mschlank
- Re: Help with Security Filtering
- Prev by Date: Re: ADFS logout problem continued
- Next by Date: Why is DHCP using lots of memory?
- Previous by thread: Re: Help with Security Filtering
- Next by thread: Re: Help with Security Filtering
- Index(es):
Relevant Pages
|
