[ convoluted GP parsing stuff snipped...]
I know this all sounds really convoluted, and trust me, it's
a lot easier if it's drawn on a whiteboard, but this is
essentially how group policies are processed. There are
nuances I didn't touch on such as permissions to read and
apply group policy, but this has already gone on long enough. :-)
So technically there's the possibility that privileges may change during
the time between logon and whenever XP finishes processing the Group
Policy/Security Policy/Wallpaper Policy? Can I ctrl-alt-del and kill
whatever process is still parsing the policies?
Is loopback processing on by default?
Last- RSoP (which is represented in a somewhat cleaner way as
"Group Policy Results" and "Group Policy Planning" in GPMC)
has NOTHING to do with how group policy is processed. All
RSoP does is simulate the processing of group policy and show
you what the end results either *are* based on what happened
when user x in location y logged onto computer a in location
b (resultant mode in RSoP or "Group Policy Results" in GPMC)
or what they *would be* if you put user x in location y and
they logged onto computer a in location b (planning mode in
RSoP or "Group Policy Planning" in GPMC). RSoP does not
change how group policy is actually processed regardless of
whether you use it in planning mode or reporting mode.
RSoP/GPMC planning/results are merely tools to allow an
administrator to build scenarios (planning) or to
troubleshoot where specific settings came from "results".
I wasn't implying that RSoP had anything to do with processing although
looking again I can see why you'd come to that conclusion. I only meant
that whatever the RSoP _happens to be_ gets applied, not that you can
change it _using_ RSoP.
Laura
P.S. I was asleep until just before I wrote this, so please
forgive any typos or lack of clarity. :-)
I'm never really awake until 11am no matter when I get up.
Derick
-----Original Message-----
From: Derick Anderson [mailto:danderson@vikus.com]
Sent: Friday, October 21, 2005 7:58 AM
To: matthew patton; focus-ms@securityfocus.com
Subject: RE: security policy 'not specified' option
-----Original Message-----
From: matthew patton [mailto:pattonme@yahoo.com]
Sent: Thursday, October 20, 2005 4:57 PM
To: focus-ms@securityfocus.com
Subject: security policy 'not specified' option
Some time back I used a security policy editor that had 3 options:
enabled, disabled, and 'unset'. By not setting it either way, the
machine inherited the domain settings. Unfortunately the standard
system policy editors shipped with 2K/2K3/XP don't appear
to have that
3rd option which means now I've got all kinds of machine
running with
who knows what setting and ignoring the domain policy. And
once you've
selected en/disabled via the radio box, there isn't a way
to unset it.
How do I dig myself out of this?
I probably can play Registry Magic and accomplish what I
need but I
could have sworn I had a tool that would let me do what I
used to be
able to do.
any ideas?
I use Microsoft's Group Policy Management Console (GPMC) so I can't
verify my recollection on the standard Windows 2003 Group Policy
editor, but as I recall, there are usually three
options: "enabled", "disabled", and "not defined". When you choose
"not defined", the local security policy looks up the Group Policy
chain by default (you can change it) in the following order:
1. Enforced Policies from top-level down 2. Local OU GPOs 3.
Parent OU GPOs from the bottom-level up 4. Microsoft defaults
By default, the Resultant Set of Policy (RSoP) for the domain is
applied to the local computer. I don't know if you can turn
this off
(and why?) but by default it works. I would advise getting
the GPMC as
it makes the whole Group Policy process easier to understand and
implement.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4
c24-8cbd-4
b35-9272-dd3cbfc81887&DisplayLang=en
If you think that the machines aren't getting the group policy (and
they are Windows XP/2003-based) you can run gpupdate /force
to apply
the domain group policy and then check the event log to see
if there
were any errors. Also you should run netdiag and dcdiag on
your domain
controllers to make sure things are working happily.
As a test, set the Computer Configuration -> Windows Settings
-> Security Settings -> Local Policies/Security Options ->
Interactive
Logon: "Message text for users attempting to log on" to
something and
then see if your domain computers start displaying the message.
Derick Anderson
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
