Security Basics mailing list archives

RE: AD Policy audit tool for Windows 2000

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Thu, 1 Jun 2006 20:29:20 -0400

You can, but there are additional issues involved when managing
server-based GPO's from XP. Doing normal AD things like adding users,
etc...no problems. But there are things missing on the XP side that are
not on the W2K3 side, and that even applies for fields in user accounts.
If you administrate user accounts from the server, you can see more
stuff, than if you adjust them from XP (in most normal cases). So, yes,
you can administrate AD and GPOs from XP, but I'd RDP to the server and
administrate it from there to avoid missing fields, overwrite issues,
and other problems.

While we're at it, you should try to do all your GPO mgmt from a single
DC as well, so you don't have conflicts/overwrites from other servers
from other administrators (i.e. they open and modify something on one
DC, you open and modify the same object on another-last saved one
wins.). It's a good practice to administrate AD and especially GPOs from
a constant central location, and preferably from a server.

You have been warned. <grin>

Just years of real life experience talking.

-----Original Message-----
From: Raoul Armfield [mailto:armfield () amnh org] 
Sent: Wednesday, May 31, 2006 2:22 PM
To: Koolk3
Cc: jfvanmeter () comcast net; Roger A. Grimes;
security-basics () securityfocus com
Subject: Re: AD Policy audit tool for Windows 2000

Koolk3 wrote:

I would like to thank everyone for their input.

Among all the tools suggested I think GPMC is the most useful and 
relevant for me. I was looking for something that would generate an 
HTML type report that is easily human readable.

However, the issue now is that the domian controllers is windows 2000 
and I was told GPMC could not be installed on it. Did anyone have any 
success installing GPMC on win 2000 server? I don't have access to any

win 2000 server to test this out.

Thanks.


We went straight from NT4 to 2003 so I do not speak from experience but
I was under the impression that as long as you installed GPMC on a
windows XP computer you could manage the group policy on any domain
controller whether it is 2000 or 2003

--
Raoul Armfield
rarmfield at amnh dot org

Current thread:

RE: AD Policy audit tool for Windows 2000 Roger Onken (Jun 01)
- <Possible follow-ups>
- Re: AD Policy audit tool for Windows 2000 Raoul Armfield (Jun 01)
  - RE: AD Policy audit tool for Windows 2000 Roger A. Grimes (Jun 01)
  - RE: AD Policy audit tool for Windows 2000 Steven Lundberg (Jun 01)
  - RE: AD Policy audit tool for Windows 2000 Roger A. Grimes (Jun 02)