Pretty much,
Members is where I put the allowed members of the group, and then members of is what other groups this group can be a member of, if I get what I read correctly, again feel free to correct if I don't have it Majellin that well, its Friday morning, and the coffee hasn't kicked in just yet. Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Kennedy, Jim [mailto:[email protected]] Sent: Friday, September 23, 2011 10:08 AM To: NT System Admin Issues Subject: RE: Using Restrictive Groups to lockdown membership to certain groups in AD Should pick it up at the next gp refresh interval. It does not require a reboot. If you do a gpupdate without a reboot they will pop right in. Do you have 'members' and 'members of' straight in your head and set up right? That is the tricky part that sometimes makes my brain hurt. From: Ziots, Edward [mailto:[email protected]] Sent: Friday, September 23, 2011 10:02 AM To: NT System Admin Issues Subject: Using Restrictive Groups to lockdown membership to certain groups in AD TO the list, I would like to use the Restrictive Groups Setting in Windows 2008 R2 SP1 DFL/FFL to lock the settings of specific groups to what I want them to be ( Namely DA and Administrators and a few others specific groups, to meet audit requirements) What I have done so far. Created a Test group, and added users to it in AD, then created the GPO and specified the users I wanted in the group, and then linked it at the root of my accounts domain ( no Override is set) Then I went into AD, and added a new user to the group, that is the target of lockdown ( which is what I am trying to prevent via GPO, any new members adding to the group either if DA, ADMIn or otherwise, so I can have a level of assurance that there isn't going to be elevation of privilege going forward. Is this all that needs to be done, and how long after a change would the GPO take effect to set it back to membership in the first place? Has others on the list done it in a different fashion or updated their default domain controllers policy or default domain policy to accomplish this? TIA, EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image002.jpg>>
<<image003.jpg>>
