TO the list,
I would like to use the Restrictive Groups Setting in Windows 2008 R2 SP1 DFL/FFL to lock the settings of specific groups to what I want them to be ( Namely DA and Administrators and a few others specific groups, to meet audit requirements) What I have done so far. Created a Test group, and added users to it in AD, then created the GPO and specified the users I wanted in the group, and then linked it at the root of my accounts domain ( no Override is set) Then I went into AD, and added a new user to the group, that is the target of lockdown ( which is what I am trying to prevent via GPO, any new members adding to the group either if DA, ADMIn or otherwise, so I can have a level of assurance that there isn't going to be elevation of privilege going forward. Is this all that needs to be done, and how long after a change would the GPO take effect to set it back to membership in the first place? Has others on the list done it in a different fashion or updated their default domain controllers policy or default domain policy to accomplish this? TIA, EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image002.jpg>>
