Re: Group Policy is now inhibiting the Administrator account

Interesting. I'm still a newbie, so thought that hardening my system even
more than what you've done (same as you, but without the 2-factor
authentication) was the proper way to secure my LAN from the outside and
ignorance on the inside. Maybe I should re-think this and only implement
those new GP's that address a likely threat.
I'd be interested to hear Susan Bradley's thoughts (after you heal up from
the 2x4 whacks to the head :) ).

Mike

"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23vBwQSUzGHA.476@xxxxxxxxxxxxxxxxxxxxxxx
This is why I recommend creating separate group policy objects for
individual purposes. When you look in GPMC, you see all those policies
under Group Policy Objects - those are the individual GPOs. You can apply
any GPO to one or move Active Directory Organizational Units (OUs), which
are like the MyBusiness/Computers and MyBusiness/Users things you see in
AD. You can apply any given GPO to one or more OUs, so for example you
could have created a new GPO for your security settings, and only applied
it to the MyBusiness/Computers OU. That way, the policy would not have
applied to the server at all. And, as a separate GPO, you could have just
disabled it temporarily when you ran into the unintended result.

I'm going to see Susan Bradley next week at SMB Nation, and I'm risking
getting whacked with a 2x4 for saying this: I don't do much of anything
to harden my servers or network. All my servers and workstations are
fully patched with WSUS. I use all of the default security in SBS,
including ISA and all of the SBS-configured group policies, XP SP2
including the firewall, etc. All of the users are power users as opposed
to local admins (and they'd be regular users if I didn't have LOB apps
that prevented it). So I'm doing everything I'm supposed to be doing, but
nothing extra. I do monitor the servers closely, including security logs,
and I use 2-factor authentication for remote access.


"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:%23eS7iwTzGHA.2640@xxxxxxxxxxxxxxxxxxxxxxx
Your idea to use rsop.msc did the trick.. Eventually found that a policy
to have the administrator account change the name was set to Recommended.
I thougtht it was a good idea -- and also thought it applied just to XP
boxes, so I did it. For some reason, the Admin account properties had
REcommended listed as the logon name. Set it back to the correct name
and I got in and was able to clean up what I'd done.

I now have the idea that the Microsoft doc's, tools and templates I
downloaded for security ought not to be used, that there may be a guide
out there for hardening SBS servers that I should refer to instead. Any
advice?

Mike

"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:uDmC7QTzGHA.4116@xxxxxxxxxxxxxxxxxxxxxxx
By default, "Deny log on locally" is set for the security group "SBS
Remote Operators." That group also includes the group "Domain Power
Users." So the first thing to do is to look in AD and see if your
Administrator account is a member of either of those groups. If so,
remove the admin account from the security group and you should be good
to go.

Failing that, log on to the server with your own account. Click
Start -> Run and type in "rsop.msc" without the quotes. This will bring
up a "resultant set of policy" telling you all the policies that are
applied to the server. When you find the one that's keeping the
administrator account from logging in locally, it'll tell you which GPO
contains the policy so you can edit it.

For next time, you can back up your GPOs in the Group Policy Management
Console by right-clicking Group Policy Objects and choosing Back Up All.
The other thing is, I recommend never editing a built-in or SBS-created
policy. Create a new GPO for the specific purpose you're addressing,
such as "MS Office Settings Policy" or "Mike's Tighter Security Policy."
That way, if something unexpected happens, you can just turn off that
policy while you resolve it. You do this by r-clicking the OU you want
the policy to apply to and choosing "create and link a new policy here"
(or similar-named option).


"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:OpB1s5SzGHA.4092@xxxxxxxxxxxxxxxxxxxxxxx
Running SBS 2003 Premium with 2 NIC's, a router, and WSUS installed and
running.
===========================================
Got some down time today so decided to go through some Microsoft
products to tighten security. I started with Windows XP Security Guide
Tools and Templates; I opened the document "Windows XP Security
Guide.doc" and started from the top. I followed most of the guidance,
omitted those I don't need/want for our LAN, but when I got about 2/3's
of the way down (I'd open the doc on the top half of the monitor and GP
Management & Editor on the bottom half so I could change things as I
went.), I was trying to get to the GP Editor, but got an info window
telling me that permission was denied.
I was remoted into the server at the time, so I logged off and went
down to the server room and got on. Right away I found that I couldn't
(using the Administrator account) edit anything in GP Editor - seems I
didn't have sufficient permissions. I logged off and logged on as
myself and could edit just fine. I tried to undo everything, but
Editor tells me that the items are Not Defined, but the Management
console shows the items as defined.

I'm outta my league. Is there (I hope!) a way to re-set the GP's to
the default, out-of-the-box, settings so I can start over (and very
slowly)?

--
Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a 501 (c)(3) conservation non-profit organization









.

Relevant Pages

  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • Re: SCW question.
    ... Created a new Server and installed IIS. ... and saw that the default rights for IUSR and IWAM users are there. ... Server to the domain without and GPO's applied...Local Security policy ... rights (which coincides with my Member server GPO settings). ...
    (microsoft.public.windows.server.security)
  • RE: IE Security Group Policy
    ... username and password to access the Companyweb and the GPO did not apply on ... In the Security filtering of the GPO, please select the user account or ... Step 2: Check the IIS settings on the SBS Server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Security Logon/Logoff Events
    ... the full security audit is enabled by default so that you are ... Right-click Small Business Server Auditing Policy and click Edit. ... SBS 2003 creates a GPO on the DC container named Small Business Server ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)