Security Basics mailing list archives
RE: Group Policy Connundrum - Stick with it, its confusing!!!
From: "Jon Petre" <jono-31 () hotmail co uk>
Date: Fri, 05 Oct 2007 14:32:19 +0000
Thanks for the assistance guys. Policy is now been appied across all my seven sites :-}
Jon
From: "Roger A. Grimes" <roger () banneretcs com> To: "Jon Petre" <jono-31 () hotmail co uk> CC: <security-basics () securityfocus com> Subject: RE: Group Policy Connundrum - Stick with it, its confusing!!! Date: Tue, 2 Oct 2007 19:08:28 -0400 Yes, GPO's can only be applied to OUs. Those OUs can contain user or computer objects. If you want to apply a particular GPO to a user account, you must configure the appropriate settings to the User Configuration object of the GPO (vs. Computer Configuration object), link the GPO to the OU (or let it be inherited into the OU from a parent OU) that contains the appropriate user accounts, and the user accounts must have the Read and Apply Group Policy permissions on the GPO in question. That latter portion can be accomplished using security groups to set the correct permissions. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada... *email: roger_grimes () infoworld com or roger () banneretcs com *Author of Windows Vista Security: Securing Vista Against Malicious Attacks (Wiley) *http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470 101555 ***************************************************************** -----Original Message----- From: Jon Petre [mailto:jono-31 () hotmail co uk] Sent: Tuesday, October 02, 2007 12:42 PM To: Roger A. Grimes Cc: security-basics () securityfocus com Subject: RE: Group Policy Connundrum - Stick with it, its confusing!!! Hi Roger, OK. I have ran a couple of the test's that you recommended and would really appreciate your input: This is the output from gpresult on the local workstation - I have omitted the computer policies and just included the user policies. CN=D*****,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=P*******Ltd,DC=local Last time Group Policy was applied: 02/10/2007 at 10:36:05 Group Policy was applied from: dcserver.**********.local Group Policy slow link threshold: 500 kbps Applied Group Policy Objects ----------------------------- Default Domain Policy No Internet The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Small Business Server Internet Connection Firewall Filtering: Denied (WMI Filter) WMI Filter: PreSP2 Small Business Server Windows Firewall Filtering: Not Applied (Empty) Small Business Server Client Computer Filtering: Not Applied (Empty) Small Business Server Domain Password Policy Filtering: Not Applied (Empty) Small Business Server Lockout Policy Filtering: Disabled (GPO) Small Business Server Remote Assistance Policy Filtering: Disabled (GPO) Local Group Policy Filtering: Not Applied (Empty) The user is a part of the following security groups: ---------------------------------------------------- Domain Users Everyone BUILTIN\Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users LOCAL No Internet SageMMS Terminal Services Users Branch Users Web Workplace Users Resultant Set Of Policies for User: ------------------------------------ Software Installations ---------------------- N/A Public Key Policies ------------------- N/A Administrative Templates ------------------------ GPO: No Internet Setting: Software\Policies\Microsoft\Internet Explorer\Control Panel State: Enabled Folder Redirection ------------------ N/A Internet Explorer Browser User Interface ---------------------------------------- GPO: No Internet Large Animated Bitmap Name: N/A Large Custom Logo Bitmap Name: N/A Title BarText: P****** Ltd UserAgent Text: N/A Delete existing toolbar buttons: No Internet Explorer Connection ---------------------------- HTTP Proxy Server: 0.0.0.0:80 Secure Proxy Server: 0.0.0.0:80 FTP Proxy Server: 0.0.0.0:80 Gopher Proxy Server: 0.0.0.0:80 Socks Proxy Server: 0.0.0.0:80 Auto Config Enable: No Enable Proxy: Yes Use same Proxy: Yes Internet Explorer URLs ---------------------- GPO: No Internet Home page URL: N/A Search page URL: N/A Online support page URL: N/A Internet Explorer Security -------------------------- Always Viewable Sites: N/A Password Override Enabled: False GPO: No Internet Import the current Content Ratings Settings: No Import the current Security Zones Settings: No Import current Authenticode Security Information: No Enable trusted publisher lockdown: No Internet Explorer Programs -------------------------- GPO: No Internet Import the current Program Settings: No From this I can see the policy that applies the false proxy but I can not see my exceptions that are in place!! This is rather confusing for me. After further investigation I believe I am right in saying that GP's are applied to OU's and not security groups. If this is the case, then the AD infrastructure that I am working on is setup incorrectly. All the users are placed in one OU. After carrying out an RSOP on the OU, and then drilling down, I find that no proxy settings are been enabled!! As you can probably see, I am actually quite confused now. Can you shed further light on this confusing matter. If you require further info, I will be most happy to oblige. Thanks Jon >From: "Roger A. Grimes" <roger () banneretcs com> >To: "Jon Petre" ><jono-31 () hotmail co uk>,<security-basics () securityfocus com> >Subject: RE: Group Policy Connundrum - Stick with it, its confusing!!! >Date: Sun, 30 Sep 2007 15:07:01 -0400 > >Jon, > >There are lots of ways to troubleshot. > >Try running an rsop.msc on the workstation and look at the relevant >results. > >Or you can run gpresult.exe /v >gpresult.txt && gpresult.txt and look >at it in a text file. > >Are the correct settings being pushed down? If so, then it might be a >GPO application problem. You can turn on group policy logging and see >what is not being applied, and why. > >If rsop.msc and gpresult show the correct settings, are the correct >registry edits being made under HKCU\Software\Policies? > >I'll help you troubleshoot. > >Roger > >******************************************************************* >*Roger A. Grimes, Senior Security Consultant *Microsoft Application >Consulting and Engineering (ACE) Services >*http://blogs.msdn.com/ace_team/default.aspx >*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada... >*email: roger () banneretcs com or rogrim () microsoft com *Author of Windows >Vista Security: Security Vista Against Malicious Attacks (Wiley) >*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/047 >0 >101555 >******************************************************************* > > > >-----Original Message----- >From: listbounce () securityfocus com >[mailto:listbounce () securityfocus com] >On Behalf Of Jon Petre >Sent: Friday, September 28, 2007 5:09 AM >To: security-basics () securityfocus com >Subject: Group Policy Connundrum - Stick with it, its confusing!!! > >Hello List, > >I have an issue at a customers site regarding GP that goes a little >like >this: > >I have created a policy named no internet. I have created a security >group named the same. In this group are so many users based across the >country that I want to limit the internet usage, therefore I have >created a false proxy @ 0.0.0.0 that all their internet use has to pass >through. This gives the expected result where no pages are displayed >regardless of which site the user goes to. I have also created some >exceptions for this policy, which do not use the proxy, i.e. > >www.homepageofcompany.com, www.siteiwanttoallow.com, >www.theusercangohere.co.uk. > >This is done by setting the 'user configuration > Internet Explorer > >Connection > Proxy Settings > Exceptions'. The desired output is that >user's logon and can access these sites, but any other non specified >site wont work. > >----I hope this makes sense so far---- > >Then by setting the 'Admin Template > Windows Components > Internet >Explorer > Disable Changing Proxy Settings' to enabled effectively >grays out the proxy settings in internet explorer and stops the user >from altering the settings. > >OK, this is where the issues start. When I toggle the 'Admin Template > >Windows Components > Internet Explorer > Disable Changing Proxy >Settings' >between enable and disable, and update the policy on the local machine >via GPUPDATE, or even from the server by forcing the update, everything >works and the proxy is enabled and disabled as specified. > >However, when I try to make changes to any part of the user config, >the policy does not seem to initialise. What I mean is any sites I add >to the exception list do not appear and the end result is the user can >not access any sites at all. I have logged on and off, and re-booted >workstation all to no effect. > >Any suggestions on why the user configuration portion of the Group >Policy does not work would be much appreciated. I am sure all the >permissions are set correctly, i.e. the apply GP settings, read >settings etc. If they wasn't, then surely no part of the policy would >work, would it? > >TIA, > >Jono > >_________________________________________________________________ >The next generation of Hotmail is here! http://www.newhotmail.co.uk > _________________________________________________________________ Get Pimped! FREE emoticon packs from Windows Live - http://www.pimpmylive.co.uk
_________________________________________________________________ The next generation of Hotmail is here! http://www.newhotmail.co.uk
Current thread:
- RE: Group Policy Connundrum - Stick with it, its confusing!!! Roger A. Grimes (Oct 01)
- <Possible follow-ups>
- RE: Group Policy Connundrum - Stick with it, its confusing!!! Jon Petre (Oct 02)
- RE: Group Policy Connundrum - Stick with it, its confusing!!! Jon Petre (Oct 02)
- Re: Group Policy Connundrum - Stick with it, its confusing!!! Ian Smith (Oct 02)
- RE: Group Policy Connundrum - Stick with it, its confusing!!! Roger A. Grimes (Oct 03)
- RE: Group Policy Connundrum - Stick with it, its confusing!!! Jon Petre (Oct 05)
- RE: Group Policy Connundrum - Stick with it, its confusing!!! Murda Mcloud (Oct 03)