Security Basics mailing list archives
RE: Find policies applied to an AD computer
From: "Devin Rambo" <drambo () vediorps com>
Date: Tue, 28 Aug 2007 09:56:05 -0400
Before you do anything, I would strongly advise you to get schooled in Group Policy and how it works. The ramifications of moving objects around can be more serious than you realize at first, and there is a strong possibility of unintended negative consequences if you don't understand what the result will be from making changes or moving objects, especially if you didn't design the Group Policy structure in the first place. Case in point: a while back I made a hasty change to one of my own policies that I believed would only affect my domain controllers. The following morning when I came to work, I was deluged with phone calls from users who couldn't log in because the Security logs had completely filled up overnight due to the policy change. Whoops. Here's what you want to do. First, download the Group Policy Management Console from Microsoft: http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35- 9272-DD3CBFC81887&displaylang=en Second, get yourself a good book on Group Policy which will help you get up to speed on what it is, how it works, and how it affects your various systems. I use the Microsoft Windows Group Policy Guide (ISBN 0-7356-2217-5), but there are a great number of books that have been written on the topic. Amazon's customer reviews are always helpful in dividing the wheat from the chaff when shopping for tech books. There are also a few blogs out there that primarily discuss Group Policy; some of these are worth checking out, especially gpoguy.com. Third, start researching how Group Policy has been implemented in your domain(s). Look at each of the various GPOs that have been created, study what containers they apply to, figure out what each of them does, how, and why. As has been pointed out here prior, the RSOP tool is a terrific resource, since it will tell you exactly what policies are being applied to a machine, what policies have "won" over others, etc. Four, don't do ANYTHING until you have a very solid understanding of how these are implemented. Whatever difficulties you're having now can easily be compounded if you act without fully understanding the ramifications of the changes you make. Group policies are complex, but they're not rocket science. And fortunately for you, they're well worth spending the time to learn about, because they can be a huge help to admins who understand how to implement them. You just need to proceed with care. Good luck. Devin -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Dummy cerberus Sent: Friday, August 24, 2007 2:36 PM To: security-basics () securityfocus com Subject: Re: Find policies applied to an AD computer No, I have no experience at all with AD GPOs and so on... I will try that command, and sorry for my lack of knowledge... I need it because I'm facing a stablished AD structure, with several OU's correspondieng to branch offices and so on... I think (maybe I'm wrong, would appreciate your advice) that , just like users, computers should be included in the OU correponding to the branch office where they are located(currently they aren't organized at all, but randomly distributed across the AD tree9... The problem is that I have no doc about where are the GPO currently appliying to computers stored... and I thought that maybe I could find where are located all GPOs that apply to a given computer, just to move them with the computer to the OU corresponding to the branch office... Best regards
Current thread:
- Find policies applied to an AD computer Dummy cerberus (Aug 24)
- RE: Find policies applied to an AD computer Christian Campbell (Aug 24)
- RE: Find policies applied to an AD computer Wim Pouseele (Aug 24)
- Re: Find policies applied to an AD computer Buddy (Aug 27)
- Re: Find policies applied to an AD computer Nikhil Wagholikar (Aug 27)
- R: Find policies applied to an AD computer Vega - Brunello Ivan (Aug 28)
- RE: Find policies applied to an AD computer Tony Derricott (Aug 27)
- Re: Find policies applied to an AD computer Dummy cerberus (Aug 27)
- RE: Find policies applied to an AD computer Devin Rambo (Aug 28)
- Re: Find policies applied to an AD computer Dummy cerberus (Aug 27)