Security Basics mailing list archives
RE: AD Policy audit tool for Windows 2000
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Thu, 1 Jun 2006 20:29:20 -0400
You can, but there are additional issues involved when managing server-based GPO's from XP. Doing normal AD things like adding users, etc...no problems. But there are things missing on the XP side that are not on the W2K3 side, and that even applies for fields in user accounts. If you administrate user accounts from the server, you can see more stuff, than if you adjust them from XP (in most normal cases). So, yes, you can administrate AD and GPOs from XP, but I'd RDP to the server and administrate it from there to avoid missing fields, overwrite issues, and other problems. While we're at it, you should try to do all your GPO mgmt from a single DC as well, so you don't have conflicts/overwrites from other servers from other administrators (i.e. they open and modify something on one DC, you open and modify the same object on another-last saved one wins.). It's a good practice to administrate AD and especially GPOs from a constant central location, and preferably from a server. You have been warned. <grin> Just years of real life experience talking. -----Original Message----- From: Raoul Armfield [mailto:armfield () amnh org] Sent: Wednesday, May 31, 2006 2:22 PM To: Koolk3 Cc: jfvanmeter () comcast net; Roger A. Grimes; security-basics () securityfocus com Subject: Re: AD Policy audit tool for Windows 2000 Koolk3 wrote:
I would like to thank everyone for their input. Among all the tools suggested I think GPMC is the most useful and relevant for me. I was looking for something that would generate an HTML type report that is easily human readable. However, the issue now is that the domian controllers is windows 2000 and I was told GPMC could not be installed on it. Did anyone have any success installing GPMC on win 2000 server? I don't have access to any
win 2000 server to test this out. Thanks.
We went straight from NT4 to 2003 so I do not speak from experience but I was under the impression that as long as you installed GPMC on a windows XP computer you could manage the group policy on any domain controller whether it is 2000 or 2003 -- Raoul Armfield rarmfield at amnh dot org
Current thread:
- RE: AD Policy audit tool for Windows 2000 Roger Onken (Jun 01)
- <Possible follow-ups>
- Re: AD Policy audit tool for Windows 2000 Raoul Armfield (Jun 01)
- RE: AD Policy audit tool for Windows 2000 Roger A. Grimes (Jun 01)
- RE: AD Policy audit tool for Windows 2000 Steven Lundberg (Jun 01)
- RE: AD Policy audit tool for Windows 2000 Roger A. Grimes (Jun 02)