Domain Controller Security Policy

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hello, I posted this as the last in a series of questins in the AD
group, but got no answer. Please help me figure this out.

I understand how to create a new policy for the domain, an OU, or site,
but I want another policy for the Domain Controller (the current one is
the Start>Programs>Administrative Tools>Domain Controller Security
Policy), that only applies when a user logs on physically to the Domain
Controller machine. I want the settings (in that policy) for "Print
Operators," for example, to be different than the settings for the
Administrators, Domain Admins groups.

How do I create a new policy for the Domain Controller so I can
differentiate between Admins logging on to the DC machine and "Print
Operators" or any other group I choose?

Basically, I want Admins to do whatever they want when logging on to the
Domain Controller, but I also want a small group of users to log in to
the same Domain Controller machine, but be able to only use a certain
application, and not be able to change stuff like DNS, Exchange, ISA, etc.

Thanks for the patience and advice,
George
georgebarleyit_nospam@yahoo.com (get rid of "_nospam" to email me)
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

George-
It really depends upon what you're trying to control. In your question you
allude to things like the ability to change things like DNS, Exchange,etc.
Not all of this stuff is easily delegate-able. In general, Administrators
can do anything and it goes downhill from there. You can use security policy
to delegate particular rights to particular user groups but there is no easy
or clean solution for controlling everything. You can of course use
Restricted Groups policy to selectively add user groups into built-in groups
that do grant some capabilities but it really depends upon exactly what
you're trying to delegate.

Darren
"George Barley" <georgebarleyit_nospam@yahoo.com> wrote in message
news:uo4pF2LLEHA.1032@tk2msftngp13.phx.gbl...
> Hello, I posted this as the last in a series of questins in the AD
> group, but got no answer. Please help me figure this out.
>
> I understand how to create a new policy for the domain, an OU, or site,
> but I want another policy for the Domain Controller (the current one is
> the Start>Programs>Administrative Tools>Domain Controller Security
> Policy), that only applies when a user logs on physically to the Domain
> Controller machine. I want the settings (in that policy) for "Print
> Operators," for example, to be different than the settings for the
> Administrators, Domain Admins groups.
>
> How do I create a new policy for the Domain Controller so I can
> differentiate between Admins logging on to the DC machine and "Print
> Operators" or any other group I choose?
>
> Basically, I want Admins to do whatever they want when logging on to the
> Domain Controller, but I also want a small group of users to log in to
> the same Domain Controller machine, but be able to only use a certain
> application, and not be able to change stuff like DNS, Exchange, ISA, etc.
>
> Thanks for the patience and advice,
> George
> georgebarleyit_nospam@yahoo.com (get rid of "_nospam" to email me)
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Darren,

My goal is to let a couple of users log on to the Domain Controller
machine with ability to do nothing but run this one application, which
is a RIP (Raster Image Processor).

I understand I have to do it in the Domain Controller Security Policy,
but I don't understand how to differentiate between Administrators, and
say a group called "Rip_Users," to where Adminis can do anything, and
"Rip_Users" can't do but run the RIP app. Where, how, do I do this? I
need step-by-step instructions. I am very new to Group Policy.

Thank you!

Regards,
George


Darren Mar-Elia wrote:
> George-
> It really depends upon what you're trying to control. In your question you
> allude to things like the ability to change things like DNS, Exchange,etc.
> Not all of this stuff is easily delegate-able. In general, Administrators
> can do anything and it goes downhill from there. You can use security policy
> to delegate particular rights to particular user groups but there is no easy
> or clean solution for controlling everything. You can of course use
> Restricted Groups policy to selectively add user groups into built-in groups
> that do grant some capabilities but it really depends upon exactly what
> you're trying to delegate.
>
> Darren
> "George Barley" <georgebarleyit_nospam@yahoo.com> wrote in message
> news:uo4pF2LLEHA.1032@tk2msftngp13.phx.gbl...
>
>>Hello, I posted this as the last in a series of questins in the AD
>>group, but got no answer. Please help me figure this out.
>>
>>I understand how to create a new policy for the domain, an OU, or site,
>>but I want another policy for the Domain Controller (the current one is
>>the Start>Programs>Administrative Tools>Domain Controller Security
>>Policy), that only applies when a user logs on physically to the Domain
>>Controller machine. I want the settings (in that policy) for "Print
>>Operators," for example, to be different than the settings for the
>>Administrators, Domain Admins groups.
>>
>>How do I create a new policy for the Domain Controller so I can
>>differentiate between Admins logging on to the DC machine and "Print
>>Operators" or any other group I choose?
>>
>>Basically, I want Admins to do whatever they want when logging on to the
>>Domain Controller, but I also want a small group of users to log in to
>>the same Domain Controller machine, but be able to only use a certain
>>application, and not be able to change stuff like DNS, Exchange, ISA, etc.
>>
>>Thanks for the patience and advice,
>>George
>>georgebarleyit_nospam@yahoo.com (get rid of "_nospam" to email me)
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

George Barley <georgebarleyit_nospam@yahoo.com> said

> Darren,
>
> My goal is to let a couple of users log on to the Domain Controller
> machine with ability to do nothing but run this one application, which
> is a RIP (Raster Image Processor).
>
> I understand I have to do it in the Domain Controller Security Policy,
> but I don't understand how to differentiate between Administrators, and
> say a group called "Rip_Users," to where Adminis can do anything, and
> "Rip_Users" can't do but run the RIP app. Where, how, do I do this? I
> need step-by-step instructions. I am very new to Group Policy.
>

You need to create an OU that contains the domain controllers and apply your
GPO to that OU. Make the GPO a loopback policy and to ensure that all
settings are applied to users that login to machines in that OU.
You can then use security on the GPO to deny the 'Apply Group Policy'
permission to the domain admins security group.

Andy.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Andrew Mitchell wrote:
> George Barley <georgebarleyit_nospam@yahoo.com> said
>
>
>>Darren,
>>
>>My goal is to let a couple of users log on to the Domain Controller
>>machine with ability to do nothing but run this one application, which
>>is a RIP (Raster Image Processor).
>>
>>I understand I have to do it in the Domain Controller Security Policy,
>>but I don't understand how to differentiate between Administrators, and
>>say a group called "Rip_Users," to where Adminis can do anything, and
>>"Rip_Users" can't do but run the RIP app. Where, how, do I do this? I
>>need step-by-step instructions. I am very new to Group Policy.
>>
>
>
> You need to create an OU that contains the domain controllers and apply your
> GPO to that OU. Make the GPO a loopback policy and to ensure that all
> settings are applied to users that login to machines in that OU.
> You can then use security on the GPO to deny the 'Apply Group Policy'
> permission to the domain admins security group.
>
> Andy.

Andy, I really appreciate your help. I will have to look and find out
how to make the GPO into a loopback policy.

Since you say "You can then use security on the GPO to deny the 'Apply
Group Policy' permission to the domain admins security group," can't I
just adjust the "Domain Controller Security Policy" (I guess it's the
default one from Start>Programs>Administrative Tools>, and then apply
deny for the Admins? Is that not a good way to go about it?

Thanks again,
George
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom