You can change the GPO refresh interval via GPO to refresh more often, or with a different offset. Dependent on your security needs it can be adjusted either up or down. It might also help to use some kind of auditing service like SCOM ACS to monitor for changes to specific local groups.
Sent from my POS BlackBerry wireless device, which may wipe itself at any moment -----Original Message----- From: "Ziots, Edward" <[email protected]> Date: Fri, 23 Sep 2011 10:02:24 To: NT System Admin Issues<[email protected]> Reply-To: "NT System Admin Issues" <[email protected]>Subject: Using Restrictive Groups to lockdown membership to certain groups in AD TO the list, I would like to use the Restrictive Groups Setting in Windows 2008 R2 SP1 DFL/FFL to lock the settings of specific groups to what I want them to be ( Namely DA and Administrators and a few others specific groups, to meet audit requirements) What I have done so far. Created a Test group, and added users to it in AD, then created the GPO and specified the users I wanted in the group, and then linked it at the root of my accounts domain ( no Override is set) Then I went into AD, and added a new user to the group, that is the target of lockdown ( which is what I am trying to prevent via GPO, any new members adding to the group either if DA, ADMIn or otherwise, so I can have a level of assurance that there isn't going to be elevation of privilege going forward. Is this all that needs to be done, and how long after a change would the GPO take effect to set it back to membership in the first place? Has others on the list done it in a different fashion or updated their default domain controllers policy or default domain policy to accomplish this? TIA, EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image002.jpg>>
