Re: Group Policy is now inhibiting the Administrator account
- From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 31 Aug 2006 17:29:40 -0400
This is why I recommend creating separate group policy objects for
individual purposes. When you look in GPMC, you see all those policies
under Group Policy Objects - those are the individual GPOs. You can apply
any GPO to one or move Active Directory Organizational Units (OUs), which
are like the MyBusiness/Computers and MyBusiness/Users things you see in AD.
You can apply any given GPO to one or more OUs, so for example you could
have created a new GPO for your security settings, and only applied it to
the MyBusiness/Computers OU. That way, the policy would not have applied to
the server at all. And, as a separate GPO, you could have just disabled it
temporarily when you ran into the unintended result.
I'm going to see Susan Bradley next week at SMB Nation, and I'm risking
getting whacked with a 2x4 for saying this: I don't do much of anything to
harden my servers or network. All my servers and workstations are fully
patched with WSUS. I use all of the default security in SBS, including ISA
and all of the SBS-configured group policies, XP SP2 including the firewall,
etc. All of the users are power users as opposed to local admins (and
they'd be regular users if I didn't have LOB apps that prevented it). So
I'm doing everything I'm supposed to be doing, but nothing extra. I do
monitor the servers closely, including security logs, and I use 2-factor
authentication for remote access.
"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:%23eS7iwTzGHA.2640@xxxxxxxxxxxxxxxxxxxxxxx
Your idea to use rsop.msc did the trick.. Eventually found that a policy
to have the administrator account change the name was set to Recommended.
I thougtht it was a good idea -- and also thought it applied just to XP
boxes, so I did it. For some reason, the Admin account properties had
REcommended listed as the logon name. Set it back to the correct name and
I got in and was able to clean up what I'd done.
I now have the idea that the Microsoft doc's, tools and templates I
downloaded for security ought not to be used, that there may be a guide
out there for hardening SBS servers that I should refer to instead. Any
advice?
Mike
"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:uDmC7QTzGHA.4116@xxxxxxxxxxxxxxxxxxxxxxx
By default, "Deny log on locally" is set for the security group "SBS
Remote Operators." That group also includes the group "Domain Power
Users." So the first thing to do is to look in AD and see if your
Administrator account is a member of either of those groups. If so,
remove the admin account from the security group and you should be good
to go.
Failing that, log on to the server with your own account. Click Start ->
Run and type in "rsop.msc" without the quotes. This will bring up a
"resultant set of policy" telling you all the policies that are applied
to the server. When you find the one that's keeping the administrator
account from logging in locally, it'll tell you which GPO contains the
policy so you can edit it.
For next time, you can back up your GPOs in the Group Policy Management
Console by right-clicking Group Policy Objects and choosing Back Up All.
The other thing is, I recommend never editing a built-in or SBS-created
policy. Create a new GPO for the specific purpose you're addressing,
such as "MS Office Settings Policy" or "Mike's Tighter Security Policy."
That way, if something unexpected happens, you can just turn off that
policy while you resolve it. You do this by r-clicking the OU you want
the policy to apply to and choosing "create and link a new policy here"
(or similar-named option).
"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:OpB1s5SzGHA.4092@xxxxxxxxxxxxxxxxxxxxxxx
Running SBS 2003 Premium with 2 NIC's, a router, and WSUS installed and
running.
===========================================
Got some down time today so decided to go through some Microsoft
products to tighten security. I started with Windows XP Security Guide
Tools and Templates; I opened the document "Windows XP Security
Guide.doc" and started from the top. I followed most of the guidance,
omitted those I don't need/want for our LAN, but when I got about 2/3's
of the way down (I'd open the doc on the top half of the monitor and GP
Management & Editor on the bottom half so I could change things as I
went.), I was trying to get to the GP Editor, but got an info window
telling me that permission was denied.
I was remoted into the server at the time, so I logged off and went down
to the server room and got on. Right away I found that I couldn't
(using the Administrator account) edit anything in GP Editor - seems I
didn't have sufficient permissions. I logged off and logged on as
myself and could edit just fine. I tried to undo everything, but Editor
tells me that the items are Not Defined, but the Management console
shows the items as defined.
I'm outta my league. Is there (I hope!) a way to re-set the GP's to the
default, out-of-the-box, settings so I can start over (and very slowly)?
--
Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a 501 (c)(3) conservation non-profit organization
.
- Follow-Ups:
- Re: Group Policy is now inhibiting the Administrator account
- From: Mike Webb
- Re: Group Policy is now inhibiting the Administrator account
- References:
- Re: Group Policy is now inhibiting the Administrator account
- From: Mike Webb
- Re: Group Policy is now inhibiting the Administrator account
- Prev by Date: Re: SBS R2
- Next by Date: Re: Disabling Disconnect Option
- Previous by thread: Re: Group Policy is now inhibiting the Administrator account
- Next by thread: Re: Group Policy is now inhibiting the Administrator account
- Index(es):
Relevant Pages
|
Loading
