> In 2000 you could not control Domain Groups with this policy Sure you could, that is how people managed to lock themselves out of the high level administrative groups because they didn't understand all the implications fully. It's also why the most knowledgeable folks I know have recommended against it over the years for controlling the membership of such groups.
From: Kennedy, Jim [mailto:[email protected]] Sent: Friday, September 23, 2011 7:59 AM To: NT System Admin Issues Subject: RE: Using Restrictive Groups to lockdown membership to certain groups in AD I go back to my previous post that questions if you can even do this. In 2000 you could not control Domain Groups with this policy. Only local groups.it is a computer policy no? Or is there a more recent change that I don't know about? From: Ziots, Edward [mailto:[email protected]] Sent: Friday, September 23, 2011 10:52 AM To: NT System Admin Issues Subject: RE: Using Restrictive Groups to lockdown membership to certain groups in AD Problem is this isn't being applied to computers, but to make sure that a set of Global Groups membership stays exactly the way its been agreed upon and show audit that its working effectively. So all this GPO is being done within AD, not to computers or users. Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: [email protected] [mailto:[email protected]] Sent: Friday, September 23, 2011 10:36 AM To: NT System Admin Issues Subject: Re: Using Restrictive Groups to lockdown membership to certain groups in AD You could use a separate refresh GPO to override the default, scoped to a certain set of computers through the security filtering Sent from my POS BlackBerry wireless device, which may wipe itself at any moment ________________________________________ From: "Ziots, Edward" <[email protected]> Date: Fri, 23 Sep 2011 10:28:06 -0400 To: NT System Admin Issues<[email protected]> ReplyTo: "NT System Admin Issues" <[email protected]> Subject: RE: Using Restrictive Groups to lockdown membership to certain groups in AD I did look into the Group Policy Refresh Interval, but it seems that is being done globally which might affect the other GPO's in place. I did look at the following area in my GPO shown below at the following. Computer Settings, Admin Templates, System, Group policy. Since this is a setting of the members of a group with a GPO, which is inside Active Directory, setting the Group Policy Refresh for Computers or Domain Controllers inside this might not be the best way to get this GPO to refresh more often. Ideas on this one ( say if I want the GPO to reapply the settings on the affected Global Group say on a 15-30 min basis)? Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: [email protected] [mailto:[email protected]] Sent: Friday, September 23, 2011 10:06 AM To: NT System Admin Issues Subject: Re: Using Restrictive Groups to lockdown membership to certain groups in AD You can change the GPO refresh interval via GPO to refresh more often, or with a different offset. Dependent on your security needs it can be adjusted either up or down. It might also help to use some kind of auditing service like SCOM ACS to monitor for changes to specific local groups. Sent from my POS BlackBerry wireless device, which may wipe itself at any moment ________________________________________ From: "Ziots, Edward" <[email protected]> Date: Fri, 23 Sep 2011 10:02:24 -0400 To: NT System Admin Issues<[email protected]> ReplyTo: "NT System Admin Issues" <[email protected]> Subject: Using Restrictive Groups to lockdown membership to certain groups in AD TO the list, I would like to use the Restrictive Groups Setting in Windows 2008 R2 SP1 DFL/FFL to lock the settings of specific groups to what I want them to be ( Namely DA and Administrators and a few others specific groups, to meet audit requirements) What I have done so far. Created a Test group, and added users to it in AD, then created the GPO and specified the users I wanted in the group, and then linked it at the root of my accounts domain ( no Override is set) Then I went into AD, and added a new user to the group, that is the target of lockdown ( which is what I am trying to prevent via GPO, any new members adding to the group either if DA, ADMIn or otherwise, so I can have a level of assurance that there isn't going to be elevation of privilege going forward. Is this all that needs to be done, and how long after a change would the GPO take effect to set it back to membership in the first place? Has others on the list done it in a different fashion or updated their default domain controllers policy or default domain policy to accomplish this? TIA, EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
