Sign in with
Sign up | Sign in
Your question

Exchange OWA 2003 Trusted Root Certificate

Last response: in Windows 2000/NT
Share
Anonymous
February 14, 2005 11:25:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I am looking to attach a certificate to a GPO, under the Trusted Root
Certificates so that specific users on the network who access the Secure
(https) Outlook Web Agent 2003, will already have the certifiacte installed,
and not have to answer yes to a certificate question each time the browser
access the website on the exchange server.

My attempt has been this, accessed the server and installed the certificate,
then I exported the certificate as p7b...I then could mannually go to other
machines and import the certificate, but do not want to do that over the
enterprise.

I created a GPO based on this link:
"http://www.microsoft.com/windows2000/techinfo/planning/..."
I applied the policy only to my test user that I created, yet the
certificate is never installed as I would have expected it. I suspect that I
have missed something, but can't put my finger on it.

Any ideas?
J
Anonymous
February 15, 2005 1:26:41 AM

Archived from groups: microsoft.public.win2000.security (More info?)

That policy is "computer configuration". You will have to have that policy
apply to a computer that the user logs onto. For instance if you configured
that Group Policy at the OU level, the computer account will need to be in
that OU. --- Steve


"Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
news:2B70371B-B70B-43AE-86B5-0DCBEFF34E85@microsoft.com...
>I am looking to attach a certificate to a GPO, under the Trusted Root
> Certificates so that specific users on the network who access the Secure
> (https) Outlook Web Agent 2003, will already have the certifiacte
> installed,
> and not have to answer yes to a certificate question each time the browser
> access the website on the exchange server.
>
> My attempt has been this, accessed the server and installed the
> certificate,
> then I exported the certificate as p7b...I then could mannually go to
> other
> machines and import the certificate, but do not want to do that over the
> enterprise.
>
> I created a GPO based on this link:
> "http://www.microsoft.com/windows2000/techinfo/planning/..."
> I applied the policy only to my test user that I created, yet the
> certificate is never installed as I would have expected it. I suspect
> that I
> have missed something, but can't put my finger on it.
>
> Any ideas?
> J
Anonymous
February 15, 2005 9:21:12 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks, so barring adding each computer to the policy where I think a user
might log into, would this work: Adding the Computers to the Groups in which
the policy is applied to. So that an OU called "Shipping Department" has a
group assigned to it called "Shipping". Members of the Shipping group are
user1 and user2. A policy is created with Permissions to apply a Trusted
Root Certificate to the Shipping Group, which would install the certificate I
want but only for those particular users. Am I correct in saying that I
should just add the computers that are physically located in the Shipping
Department to the group Shipping, so that all Computer Policies are applied
to the machine?

I kind of thought that the computer policies would apply to the computer
that a particular user logged into, not the a specific computer? Can we
verify this? That link that I included for accomplishing these steps, said
nothing about adding specific users, in fact it was a Default Domain Policy?

Thanks

"Steven L Umbach" wrote:

> That policy is "computer configuration". You will have to have that policy
> apply to a computer that the user logs onto. For instance if you configured
> that Group Policy at the OU level, the computer account will need to be in
> that OU. --- Steve
>
>
> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> news:2B70371B-B70B-43AE-86B5-0DCBEFF34E85@microsoft.com...
> >I am looking to attach a certificate to a GPO, under the Trusted Root
> > Certificates so that specific users on the network who access the Secure
> > (https) Outlook Web Agent 2003, will already have the certifiacte
> > installed,
> > and not have to answer yes to a certificate question each time the browser
> > access the website on the exchange server.
> >
> > My attempt has been this, accessed the server and installed the
> > certificate,
> > then I exported the certificate as p7b...I then could mannually go to
> > other
> > machines and import the certificate, but do not want to do that over the
> > enterprise.
> >
> > I created a GPO based on this link:
> > "http://www.microsoft.com/windows2000/techinfo/planning/..."
> > I applied the policy only to my test user that I created, yet the
> > certificate is never installed as I would have expected it. I suspect
> > that I
> > have missed something, but can't put my finger on it.
> >
> > Any ideas?
> > J
>
>
>
Related resources
Can't find your answer ? Ask !
Anonymous
February 15, 2005 1:09:14 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It is computer configuration which means that the policy is non user
specific and will apply to all users that logon to that computer. You can
not filter computer configuration policy be user but you could for specific
computers or a global group that computers are a member of. I can't think of
a work around offhand to have it work for specific users. --- Steve


"Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
news:22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com...
> Thanks, so barring adding each computer to the policy where I think a user
> might log into, would this work: Adding the Computers to the Groups in
> which
> the policy is applied to. So that an OU called "Shipping Department" has
> a
> group assigned to it called "Shipping". Members of the Shipping group are
> user1 and user2. A policy is created with Permissions to apply a Trusted
> Root Certificate to the Shipping Group, which would install the
> certificate I
> want but only for those particular users. Am I correct in saying that I
> should just add the computers that are physically located in the Shipping
> Department to the group Shipping, so that all Computer Policies are
> applied
> to the machine?
>
> I kind of thought that the computer policies would apply to the computer
> that a particular user logged into, not the a specific computer? Can we
> verify this? That link that I included for accomplishing these steps,
> said
> nothing about adding specific users, in fact it was a Default Domain
> Policy?
>
> Thanks
>
> "Steven L Umbach" wrote:
>
>> That policy is "computer configuration". You will have to have that
>> policy
>> apply to a computer that the user logs onto. For instance if you
>> configured
>> that Group Policy at the OU level, the computer account will need to be
>> in
>> that OU. --- Steve
>>
>>
>> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> news:2B70371B-B70B-43AE-86B5-0DCBEFF34E85@microsoft.com...
>> >I am looking to attach a certificate to a GPO, under the Trusted Root
>> > Certificates so that specific users on the network who access the
>> > Secure
>> > (https) Outlook Web Agent 2003, will already have the certifiacte
>> > installed,
>> > and not have to answer yes to a certificate question each time the
>> > browser
>> > access the website on the exchange server.
>> >
>> > My attempt has been this, accessed the server and installed the
>> > certificate,
>> > then I exported the certificate as p7b...I then could mannually go to
>> > other
>> > machines and import the certificate, but do not want to do that over
>> > the
>> > enterprise.
>> >
>> > I created a GPO based on this link:
>> > "http://www.microsoft.com/windows2000/techinfo/planning/..."
>> > I applied the policy only to my test user that I created, yet the
>> > certificate is never installed as I would have expected it. I suspect
>> > that I
>> > have missed something, but can't put my finger on it.
>> >
>> > Any ideas?
>> > J
>>
>>
>>
Anonymous
February 15, 2005 1:09:15 PM

Archived from groups: microsoft.public.win2000.security (More info?)

So Steve - back to my original question, since my model is small, it is my
understanding that I can "filter" a particular GPO from the Domain Level to
apply only to specific user groups that I have created. (I base that
statement on Chapter 4 - How Group Policy Works in the Windows 2000 Server
doc, on the Technet CD.)

"Administrators can overcome this problem by organizing users and computers
into security groups, and then using these groups to filter the impact of
Group Policy.

The IT department can create groups based on the tasks that their users
perform, the degree of authority users have to modify their own or other
computers, and the configurations that users need to have. For example, the
IT department could accomplish their goal by creating a security group just
for vice presidents. This can greatly simplify the process of administering
users with disparate configuration and permission requirements. Therefore, in
Figure 4.4, the vice presidents' security group might prevent the domain
level GPO (GPO 2) from applying to vice presidents in the Headquarters and
Marketing OUs. "

Based on that, if were to create a domain GPO, and filter based 3 specific
groups to apply, and if in those groups I assigned the computers that were
part of each group...would the Computer Configuration be pushed to the
machines, based on the imported Root Certificate?

Thanks
J



"Steven L Umbach" wrote:

> It is computer configuration which means that the policy is non user
> specific and will apply to all users that logon to that computer. You can
> not filter computer configuration policy be user but you could for specific
> computers or a global group that computers are a member of. I can't think of
> a work around offhand to have it work for specific users. --- Steve
>
>
> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> news:22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com...
> > Thanks, so barring adding each computer to the policy where I think a user
> > might log into, would this work: Adding the Computers to the Groups in
> > which
> > the policy is applied to. So that an OU called "Shipping Department" has
> > a
> > group assigned to it called "Shipping". Members of the Shipping group are
> > user1 and user2. A policy is created with Permissions to apply a Trusted
> > Root Certificate to the Shipping Group, which would install the
> > certificate I
> > want but only for those particular users. Am I correct in saying that I
> > should just add the computers that are physically located in the Shipping
> > Department to the group Shipping, so that all Computer Policies are
> > applied
> > to the machine?
> >
> > I kind of thought that the computer policies would apply to the computer
> > that a particular user logged into, not the a specific computer? Can we
> > verify this? That link that I included for accomplishing these steps,
> > said
> > nothing about adding specific users, in fact it was a Default Domain
> > Policy?
> >
> > Thanks
> >
> > "Steven L Umbach" wrote:
> >
> >> That policy is "computer configuration". You will have to have that
> >> policy
> >> apply to a computer that the user logs onto. For instance if you
> >> configured
> >> that Group Policy at the OU level, the computer account will need to be
> >> in
> >> that OU. --- Steve
> >>
> >>
> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> news:2B70371B-B70B-43AE-86B5-0DCBEFF34E85@microsoft.com...
> >> >I am looking to attach a certificate to a GPO, under the Trusted Root
> >> > Certificates so that specific users on the network who access the
> >> > Secure
> >> > (https) Outlook Web Agent 2003, will already have the certifiacte
> >> > installed,
> >> > and not have to answer yes to a certificate question each time the
> >> > browser
> >> > access the website on the exchange server.
> >> >
> >> > My attempt has been this, accessed the server and installed the
> >> > certificate,
> >> > then I exported the certificate as p7b...I then could mannually go to
> >> > other
> >> > machines and import the certificate, but do not want to do that over
> >> > the
> >> > enterprise.
> >> >
> >> > I created a GPO based on this link:
> >> > "http://www.microsoft.com/windows2000/techinfo/planning/..."
> >> > I applied the policy only to my test user that I created, yet the
> >> > certificate is never installed as I would have expected it. I suspect
> >> > that I
> >> > have missed something, but can't put my finger on it.
> >> >
> >> > Any ideas?
> >> > J
> >>
> >>
> >>
>
>
>
Anonymous
February 15, 2005 1:51:57 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
<Smurfman@discussions.microsoft.com> says...

> Thanks, so barring adding each computer to the policy where I think a user
> might log into, would this work: Adding the Computers to the Groups in which
> the policy is applied to.

Group Policy I s not applied to groups, you have a fundamental
misunderstanding on how Group Policy works.

> So that an OU called "Shipping Department" has a
> group assigned to it called "Shipping". Members of the Shipping group are
> user1 and user2. A policy is created with Permissions to apply a Trusted
> Root Certificate to the Shipping Group,

As above, this isn't the way Group Policy works.

> which would install the certificate I
> want but only for those particular users. Am I correct in saying that I
> should just add the computers that are physically located in the Shipping
> Department to the group Shipping, so that all Computer Policies are applied
> to the machine?

The GPOs that are applied to a user or computer have nothing to do with
the group membership of that user or computer (except that you can
control whether or not a GPO can be processed through the use of ACLs on
the GPOs). The location of the user or computer account in the directory
determines which GPOs will be processed.
>
> I kind of thought that the computer policies would apply to the computer
> that a particular user logged into, not the a specific computer? Can we
> verify this? That link that I included for accomplishing these steps, said
> nothing about adding specific users, in fact it was a Default Domain Policy?

The Default Domain Policy, being at the highest level in the domain
tree, will be processed by all users and computers in the domain.

In your case, you need to examine the OUs that contain the computer
accounts of the computers that these users will be using, and then use a
GPO that is high enough in the domain tree to be processed by these
computers.

You should read up on Group Policy. There is a lot of good information
on how this works on the Microsoft web site.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
Anonymous
February 15, 2005 1:51:58 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If you create a Policy the permissions to Read and Apply that policy may
typically be the Authenticated Users Group. However, if you modify the
policy and add the disired groups to that policy to apply the policy to that
specific group instead of the global Authenticated Users group, and either
apply the policy to the GPO that specific users are a member of, or apply it
to a default domain policy, then only the groups or members that are listed
on the permissions tab will have the policy applied to them.

In my example, the OU "Shipping Department" has in the container the Group
"Shipping" and User1 and User2. User1 and User2 are also members of the
Group "Shipping". If I create a GPO and apply it to the OU, the default
setting will be for Authenticated Users to Read and Apply. But suppose that
I only want to apply the policy to User2, perhaps it is a very custom setup
of there envioronment, etc etc. I can remove the Authenticated Users from
the Permissions Tab, and add only User2 for Apply. Thereby skipping any
policy application on User1. Or, if I specifically want a group, so that no
matter who gets added to the group, all objects in that group can have the
policy applied to them. This would be particularly useful when placing a GPO
on the Domain Level for specific groups to be applied to (but not all
Authenticated Users) and thereby reduce the need to link each OU with the
GPO, you can do it from one place, but have it only apply to those groups
containing those users and/or computers that you have assigned to it.

"You put things you want to control in an OU. Then you grant control to a
group." -MArk Minasi. Basically assigning permissions for folders, shares
etc etc including applying a GPO (hence the name GROUP Policy Object). You
can not assign an OU Permissions, but you can control the members and groups
of that OU with a Policy.

"Paul Adare" wrote:

> In article <22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com>, in the
> microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
> <Smurfman@discussions.microsoft.com> says...
>
> > Thanks, so barring adding each computer to the policy where I think a user
> > might log into, would this work: Adding the Computers to the Groups in which
> > the policy is applied to.
>
> Group Policy I s not applied to groups, you have a fundamental
> misunderstanding on how Group Policy works.
>
> > So that an OU called "Shipping Department" has a
> > group assigned to it called "Shipping". Members of the Shipping group are
> > user1 and user2. A policy is created with Permissions to apply a Trusted
> > Root Certificate to the Shipping Group,
>
> As above, this isn't the way Group Policy works.
>
> > which would install the certificate I
> > want but only for those particular users. Am I correct in saying that I
> > should just add the computers that are physically located in the Shipping
> > Department to the group Shipping, so that all Computer Policies are applied
> > to the machine?
>
> The GPOs that are applied to a user or computer have nothing to do with
> the group membership of that user or computer (except that you can
> control whether or not a GPO can be processed through the use of ACLs on
> the GPOs). The location of the user or computer account in the directory
> determines which GPOs will be processed.
> >
> > I kind of thought that the computer policies would apply to the computer
> > that a particular user logged into, not the a specific computer? Can we
> > verify this? That link that I included for accomplishing these steps, said
> > nothing about adding specific users, in fact it was a Default Domain Policy?
>
> The Default Domain Policy, being at the highest level in the domain
> tree, will be processed by all users and computers in the domain.
>
> In your case, you need to examine the OUs that contain the computer
> accounts of the computers that these users will be using, and then use a
> GPO that is high enough in the domain tree to be processed by these
> computers.
>
> You should read up on Group Policy. There is a lot of good information
> on how this works on the Microsoft web site.
>
> --
> Paul Adare
> "On two occasions, I have been asked [by members of Parliament],
> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> will the right answers come out?' I am not able to rightly apprehend
> the kind of confusion of ideas that could provoke such a question."
> -- Charles Babbage (1791-1871)
>
Anonymous
February 15, 2005 2:49:05 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <8B215909-AC33-4C05-BA8C-ACA9DF1C08FE@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
<Smurfman@discussions.microsoft.com> says...

So you're going to explain to me how Group Policy works now? Ok.

Let's start with getting some basic terminology sorted out:

> If you create a Policy

You never create a Policy, you create a Group Policy Object, and that
GPO will contain various settings.

> the permissions to Read and Apply that policy may
> typically be the Authenticated Users Group.

The default DACL on a GPO do in fact include Authenticated Users with
Read and Apply, correct.

> However, if you modify the
> policy and add the disired groups to that policy to apply the policy to that
> specific group instead of the global Authenticated Users group, and either
> apply the policy to the GPO that specific users are a member of,

One cannot be a member of a GPO.

> or apply it
> to a default domain policy, then only the groups or members that are listed
> on the permissions tab will have the policy applied to them.

Correct, assuming of course the the GPO is linked somewhere that the
user or computer will even be able to process it in the first place.

For example, if you have OUA and OUB, both at the same level in the
domain, and you have userB in OUB. You create a GPO and set the
permissions on the GPO such that userB has Read and Apply permissions,
it won't matter how often you log on with the userB account, nor what
the permissions are on the GPO, userB will never process the GPO. Taking
this one step further, you create a group in OUA and make userB a member
of that group, and change the permissions on the GPO linked to OUA such
that the group in OUA that has userB as a member has Read and Apply
permission, that GPO will _still never_ be processed by userB.

>
> In my example, the OU "Shipping Department" has in the container the Group
> "Shipping" and User1 and User2. User1 and User2 are also members of the
> Group "Shipping". If I create a GPO and apply it to the OU, the default
> setting will be for Authenticated Users to Read and Apply. But suppose that
> I only want to apply the policy to User2, perhaps it is a very custom setup
> of there envioronment, etc etc. I can remove the Authenticated Users from
> the Permissions Tab, and add only User2 for Apply. Thereby skipping any
> policy application on User1. Or, if I specifically want a group, so that no
> matter who gets added to the group, all objects in that group can have the
> policy applied to them. This would be particularly useful when placing a GPO
> on the Domain Level for specific groups to be applied to (but not all
> Authenticated Users) and thereby reduce the need to link each OU with the
> GPO, you can do it from one place, but have it only apply to those groups
> containing those users and/or computers that you have assigned to it.

Once again, you do not assign a GPO to a group. You can certainly use
the DACLs on a GPO to filter which users and computers the GPO will be
processed by, but only if that GPO is linked in the directory in a
location that the user or computer account would process the GPO in the
first place.
>
> "You put things you want to control in an OU. Then you grant control to a
> group." -MArk Minasi. Basically assigning permissions for folders, shares
> etc etc including applying a GPO (hence the name GROUP Policy Object). You
> can not assign an OU Permissions, but you can control the members and groups
> of that OU with a Policy.

Sorry sport, but the Group part of Group Policy has nothing to do with
groups that contain user or computer accounts. Its name arises from the
fact that you can GROUP policy settings into objects known as Group
Policy Objects.

>
> "Paul Adare" wrote:
>
> > In article <22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com>, in the
> > microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
> > <Smurfman@discussions.microsoft.com> says...
> >
> > > Thanks, so barring adding each computer to the policy where I think a user
> > > might log into, would this work: Adding the Computers to the Groups in which
> > > the policy is applied to.
> >
> > Group Policy I s not applied to groups, you have a fundamental
> > misunderstanding on how Group Policy works.
> >
> > > So that an OU called "Shipping Department" has a
> > > group assigned to it called "Shipping". Members of the Shipping group are
> > > user1 and user2. A policy is created with Permissions to apply a Trusted
> > > Root Certificate to the Shipping Group,
> >
> > As above, this isn't the way Group Policy works.
> >
> > > which would install the certificate I
> > > want but only for those particular users. Am I correct in saying that I
> > > should just add the computers that are physically located in the Shipping
> > > Department to the group Shipping, so that all Computer Policies are applied
> > > to the machine?
> >
> > The GPOs that are applied to a user or computer have nothing to do with
> > the group membership of that user or computer (except that you can
> > control whether or not a GPO can be processed through the use of ACLs on
> > the GPOs). The location of the user or computer account in the directory
> > determines which GPOs will be processed.
> > >
> > > I kind of thought that the computer policies would apply to the computer
> > > that a particular user logged into, not the a specific computer? Can we
> > > verify this? That link that I included for accomplishing these steps, said
> > > nothing about adding specific users, in fact it was a Default Domain Policy?
> >
> > The Default Domain Policy, being at the highest level in the domain
> > tree, will be processed by all users and computers in the domain.
> >
> > In your case, you need to examine the OUs that contain the computer
> > accounts of the computers that these users will be using, and then use a
> > GPO that is high enough in the domain tree to be processed by these
> > computers.
> >
> > You should read up on Group Policy. There is a lot of good information
> > on how this works on the Microsoft web site.
> >
> > --
> > Paul Adare
> > "On two occasions, I have been asked [by members of Parliament],
> > 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> > will the right answers come out?' I am not able to rightly apprehend
> > the kind of confusion of ideas that could provoke such a question."
> > -- Charles Babbage (1791-1871)
> >
>

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
Anonymous
February 15, 2005 2:49:06 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Paul Adare" wrote:

> In article <8B215909-AC33-4C05-BA8C-ACA9DF1C08FE@microsoft.com>, in the
> microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
> <Smurfman@discussions.microsoft.com> says...
>
> So you're going to explain to me how Group Policy works now? Ok.

Listen I am not trying to pick a fight here.
>
> Let's start with getting some basic terminology sorted out:
>
> > If you create a Policy
>
> You never create a Policy, you create a Group Policy Object, and that
> GPO will contain various settings.

When I say Policy, I mean it in a broad sense, I am referring to the GPO,
which as you admitted defaults to "apply" to the Authenticated Users. Based
on what I am seeing, you can perform Filtering by removing the Authenticated
Users from the list, and assign a specific "group" that you would like to
apply the "policy" (GPO containing the set of templates in which settings
have been made) to.

>
> > the permissions to Read and Apply that policy may
> > typically be the Authenticated Users Group.
>
> The default DACL on a GPO do in fact include Authenticated Users with
> Read and Apply, correct.
>
> > However, if you modify the
> > policy and add the disired groups to that policy to apply the policy to that
> > specific group instead of the global Authenticated Users group, and either
> > apply the policy to the GPO that specific users are a member of,
>
> One cannot be a member of a GPO.
>

When I say add a desired group to a GPO, the above was what I was referring
to, I think if you attempt to read to much into the terminology, you miss the
basics of what I am asking, that was why I posted the question in the first
place. Realizing of course that if I add a group, users whatever to the
Security of the GPO to APPLY (better verbiage?), then in any place that I
apply that GPO to an OU, then the groups and users will specifically get the
"settings" contained in that GPO (or as I like to say the policy). A good
example, might be to publish the Active Directory Admin Tools to your admins,
you create a Domain Policy (GPO) and then remove the Authenticated Users, but
add only your Admins to apply the policy to, so that the Published Software
is installed.


> > or apply it
> > to a default domain policy, then only the groups or members that are listed
> > on the permissions tab will have the policy applied to them.
>
> Correct, assuming of course the the GPO is linked somewhere that the
> user or computer will even be able to process it in the first place.
>
> For example, if you have OUA and OUB, both at the same level in the
> domain, and you have userB in OUB. You create a GPO and set the
> permissions on the GPO such that userB has Read and Apply permissions,
> it won't matter how often you log on with the userB account, nor what
> the permissions are on the GPO, userB will never process the GPO. Taking

So is the GPO just created on the Group Policy tab of the OUB? If it is, I
would disagree that it would not work. A good example of this might be a
custom desktop picture. Globally for the domain you lock down any changes to
the display, and background. But on an OU level you create a GPO called
"userB" make userB the only user that the GPO is Applied to. In the Desktop,
you define a custom desktop picture, and path. I do this now, who gets the
picture? Only userB, even though in the OU there are lots of other users. So
I must be mis-understanding what you are saying above.



> this one step further, you create a group in OUA and make userB a member
> of that group, and change the permissions on the GPO linked to OUA such
> that the group in OUA that has userB as a member has Read and Apply
> permission, that GPO will _still never_ be processed by userB.

I understand what you are saying here, since a user can only be a member of
1 OU, the GPO can only be applied to that OU in which the user would be a
member of. BUT, in my model I am not creating Groups that spread across
OU's. In OUA, I would have a GROUP called OUAUsers in which I would add all
of the users in that OU to that group, that I would want applied. In OUB, I
have another group called OUBUsers with all of those users from that OU in
it. I create a GPO that has both of those Groups as part of the Apply rather
than the Authenticated Users by default, I also Deny the GPO to the Domain
Admins and Enterprise Admins for Apply but leave the read write change the
same. I apply the GPO to both OUs (OUA and OUB) Now suppose I want to add a
user to OUA, but not have that GPO apply to them. Poof, already done, even
though they are a member of that OU, I bypass them in the application of the
GPO, because I did not make them a member of the OUAUsers or OUBUsers to whom
the GPO is being applied. An example might be someone who is part of that
OU, who has Admin rights whereby you might not want to lock them down, but
keep them part of that OU for organizational reasons.

>
> >
> > In my example, the OU "Shipping Department" has in the container the Group
> > "Shipping" and User1 and User2. User1 and User2 are also members of the
> > Group "Shipping". If I create a GPO and apply it to the OU, the default
> > setting will be for Authenticated Users to Read and Apply. But suppose that
> > I only want to apply the policy to User2, perhaps it is a very custom setup
> > of there environment, etc etc. I can remove the Authenticated Users from
> > the Permissions Tab, and add only User2 for Apply. Thereby skipping any
> > policy application on User1. Or, if I specifically want a group, so that no
> > matter who gets added to the group, all objects in that group can have the
> > policy applied to them. This would be particularly useful when placing a GPO
> > on the Domain Level for specific groups to be applied to (but not all
> > Authenticated Users) and thereby reduce the need to link each OU with the
> > GPO, you can do it from one place, but have it only apply to those groups
> > containing those users and/or computers that you have assigned to it.
>
> Once again, you do not assign a GPO to a group. You can certainly use
> the DACLs on a GPO to filter which users and computers the GPO will be
> processed by, but only if that GPO is linked in the directory in a
> location that the user or computer account would process the GPO in the
> first place.
> >

Don't get caught up on semantics...I think you understood what I was
attempting to say. Filter is the correct word, you are right.

> > "You put things you want to control in an OU. Then you grant control to a
> > group." -MArk Minasi. Basically assigning permissions for folders, shares
> > etc etc including applying a GPO (hence the name GROUP Policy Object). You
> > can not assign an OU Permissions, but you can control the members and groups
> > of that OU with a Policy.
>
> Sorry sport, but the Group part of Group Policy has nothing to do with
> groups that contain user or computer accounts. Its name arises from the
> fact that you can GROUP policy settings into objects known as Group
> Policy Objects.
>

By the way, you never answered my original question, rather you attacked how
YOU might have done something or how you thought it should have been done.


> >
> > "Paul Adare" wrote:
> >
> > > In article <22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com>, in the
> > > microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
> > > <Smurfman@discussions.microsoft.com> says...
> > >
> > > > Thanks, so barring adding each computer to the policy where I think a user
> > > > might log into, would this work: Adding the Computers to the Groups in which
> > > > the policy is applied to.
> > >
> > > Group Policy I s not applied to groups, you have a fundamental
> > > misunderstanding on how Group Policy works.
> > >
> > > > So that an OU called "Shipping Department" has a
> > > > group assigned to it called "Shipping". Members of the Shipping group are
> > > > user1 and user2. A policy is created with Permissions to apply a Trusted
> > > > Root Certificate to the Shipping Group,
> > >
> > > As above, this isn't the way Group Policy works.
> > >
> > > > which would install the certificate I
> > > > want but only for those particular users. Am I correct in saying that I
> > > > should just add the computers that are physically located in the Shipping
> > > > Department to the group Shipping, so that all Computer Policies are applied
> > > > to the machine?
> > >
> > > The GPOs that are applied to a user or computer have nothing to do with
> > > the group membership of that user or computer (except that you can
> > > control whether or not a GPO can be processed through the use of ACLs on
> > > the GPOs). The location of the user or computer account in the directory
> > > determines which GPOs will be processed.
> > > >
> > > > I kind of thought that the computer policies would apply to the computer
> > > > that a particular user logged into, not the a specific computer? Can we
> > > > verify this? That link that I included for accomplishing these steps, said
> > > > nothing about adding specific users, in fact it was a Default Domain Policy?
> > >
> > > The Default Domain Policy, being at the highest level in the domain
> > > tree, will be processed by all users and computers in the domain.
> > >
> > > In your case, you need to examine the OUs that contain the computer
> > > accounts of the computers that these users will be using, and then use a
> > > GPO that is high enough in the domain tree to be processed by these
> > > computers.
> > >
> > > You should read up on Group Policy. There is a lot of good information
> > > on how this works on the Microsoft web site.
> > >
> > > --
> > > Paul Adare
> > > "On two occasions, I have been asked [by members of Parliament],
> > > 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> > > will the right answers come out?' I am not able to rightly apprehend
> > > the kind of confusion of ideas that could provoke such a question."
> > > -- Charles Babbage (1791-1871)
> > >
> >
>
> --
> Paul Adare
> "On two occasions, I have been asked [by members of Parliament],
> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> will the right answers come out?' I am not able to rightly apprehend
> the kind of confusion of ideas that could provoke such a question."
> -- Charles Babbage (1791-1871)
>
Anonymous
February 15, 2005 2:56:59 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <MPG.1c7bf2107398ece9989b9a@msnews.microsoft.com>, in the
microsoft.public.win2000.security news group, Paul Adare
<padare@newsguy.com> says...

> For example, if you have OUA and OUB, both at the same level in the
> domain, and you have userB in OUB. You create a GPO,**link it to OUA** and set the
> permissions on the GPO such that userB has Read and Apply permissions,
> it won't matter how often you log on with the userB account, nor what
> the permissions are on the GPO, userB will never process the GPO. Taking
> this one step further, you create a group in OUA and make userB a member
> of that group, and change the permissions on the GPO linked to OUA such
> that the group in OUA that has userB as a member has Read and Apply
> permission, that GPO will _still never_ be processed by userB.
>

Sorry, missed a bit. See the ** ** for the addition.
--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
Anonymous
February 15, 2005 4:13:01 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <6AAFFDB5-6B9E-4CB5-BE75-9E0FB3938DE4@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
<Smurfman@discussions.microsoft.com> says...

> By the way, you never answered my original question, rather you attacked how
> YOU might have done something or how you thought it should have been done.
>

I didn't attack anything, you're still missing some fundamentals on how
Group Policy works. For example, setting in the computer configuration
section of a GPO are not processed when a user account processes a GPO
and settings in the user configuration section are not processed when a
computer account processes a GPO.

I strongly suggest that you do some reading up on Group Policy.

Have fun.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
Anonymous
February 15, 2005 4:13:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Not based on this - "The Authenticated Users group includes both users and
computers. " See below. I think I have a pretty good working knowledge of
how this should work, I admit, I don't know it all...but I do know that if a
GPO is created, and the default setting for security and applying that
security is Authenticated Users, then this will in fact apply to the computer.

Give me some credit...

"Security Filtering
Security filtering is a way of refining which users and computers will
receive and apply the settings in a GPO. Using security filtering, you can
narrow the scope of a GPO so that it applies only to a single group, user, or
computer by specifying that only certain security principals within a
container where the GPO is linked apply the GPO. Security filtering
determines whether the GPO as a whole applies to groups, users, or computers;
it cannot be used selectively on different settings within a GPO.

In order for the GPO to apply to a given user or computer, that user or
computer must have both Read and Apply Group Policy (AGP) permissions on the
GPO, either explicitly, or effectively though group membership.

By default, all GPOs have Read and AGP both Allowed for the Authenticated
Users group. The Authenticated Users group includes both users and computers.
This is how all authenticated users receive the settings of a new GPO when it
is applied to an organizational unit, domain or site. Therefore, the default
behavior is for every GPO to apply to every Authenticated User. By default,
Domain Admins, Enterprise Admins, and the local system have full control
permissions, without the Apply Group Policy ACE. However, administrators are
members of Authenticated Users, which means that they will receive the
settings in the GPO by default. "

"Paul Adare" wrote:

> In article <6AAFFDB5-6B9E-4CB5-BE75-9E0FB3938DE4@microsoft.com>, in the
> microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
> <Smurfman@discussions.microsoft.com> says...
>
> > By the way, you never answered my original question, rather you attacked how
> > YOU might have done something or how you thought it should have been done.
> >
>
> I didn't attack anything, you're still missing some fundamentals on how
> Group Policy works. For example, setting in the computer configuration
> section of a GPO are not processed when a user account processes a GPO
> and settings in the user configuration section are not processed when a
> computer account processes a GPO.
>
> I strongly suggest that you do some reading up on Group Policy.
>
> Have fun.
>
> --
> Paul Adare
> "On two occasions, I have been asked [by members of Parliament],
> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> will the right answers come out?' I am not able to rightly apprehend
> the kind of confusion of ideas that could provoke such a question."
> -- Charles Babbage (1791-1871)
>
Anonymous
February 15, 2005 4:17:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <72BDC33D-EDFB-4BBE-A814-4BD1595958C1@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
<Smurfman@discussions.microsoft.com> says...

> Based on that, if were to create a domain GPO, and filter based 3 specific
> groups to apply, and if in those groups I assigned the computers that were
> part of each group...would the Computer Configuration be pushed to the
> machines, based on the imported Root Certificate?
>

Yes.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
Anonymous
February 15, 2005 4:24:15 PM

Archived from groups: microsoft.public.win2000.security (More info?)

You have two options. Either put all the computers in an OU, which could be
a child OU of an existing OU so that all parent OU computer configuration
settings still can apply to computers in the child OU unless the child OU
has same defined settings which will override same defined settings at
parent level, or filter a Group Policy that would apply to computers so that
the "apply" permission has only the global groups that contain computers
that you want the Group Policy computer configuration to apply to. Ether way
the computers must be within the scope of influence of the Group Policy. The
link below may help if you have not seen it yet. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;322176

"Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
news:72BDC33D-EDFB-4BBE-A814-4BD1595958C1@microsoft.com...
> So Steve - back to my original question, since my model is small, it is my
> understanding that I can "filter" a particular GPO from the Domain Level
> to
> apply only to specific user groups that I have created. (I base that
> statement on Chapter 4 - How Group Policy Works in the Windows 2000 Server
> doc, on the Technet CD.)
>
> "Administrators can overcome this problem by organizing users and
> computers
> into security groups, and then using these groups to filter the impact of
> Group Policy.
>
> The IT department can create groups based on the tasks that their users
> perform, the degree of authority users have to modify their own or other
> computers, and the configurations that users need to have. For example,
> the
> IT department could accomplish their goal by creating a security group
> just
> for vice presidents. This can greatly simplify the process of
> administering
> users with disparate configuration and permission requirements. Therefore,
> in
> Figure 4.4, the vice presidents' security group might prevent the domain
> level GPO (GPO 2) from applying to vice presidents in the Headquarters and
> Marketing OUs. "
>
> Based on that, if were to create a domain GPO, and filter based 3 specific
> groups to apply, and if in those groups I assigned the computers that were
> part of each group...would the Computer Configuration be pushed to the
> machines, based on the imported Root Certificate?
>
> Thanks
> J
>
>
>
> "Steven L Umbach" wrote:
>
>> It is computer configuration which means that the policy is non user
>> specific and will apply to all users that logon to that computer. You can
>> not filter computer configuration policy be user but you could for
>> specific
>> computers or a global group that computers are a member of. I can't think
>> of
>> a work around offhand to have it work for specific users. --- Steve
>>
>>
>> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> news:22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com...
>> > Thanks, so barring adding each computer to the policy where I think a
>> > user
>> > might log into, would this work: Adding the Computers to the Groups in
>> > which
>> > the policy is applied to. So that an OU called "Shipping Department"
>> > has
>> > a
>> > group assigned to it called "Shipping". Members of the Shipping group
>> > are
>> > user1 and user2. A policy is created with Permissions to apply a
>> > Trusted
>> > Root Certificate to the Shipping Group, which would install the
>> > certificate I
>> > want but only for those particular users. Am I correct in saying that
>> > I
>> > should just add the computers that are physically located in the
>> > Shipping
>> > Department to the group Shipping, so that all Computer Policies are
>> > applied
>> > to the machine?
>> >
>> > I kind of thought that the computer policies would apply to the
>> > computer
>> > that a particular user logged into, not the a specific computer? Can
>> > we
>> > verify this? That link that I included for accomplishing these steps,
>> > said
>> > nothing about adding specific users, in fact it was a Default Domain
>> > Policy?
>> >
>> > Thanks
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> That policy is "computer configuration". You will have to have that
>> >> policy
>> >> apply to a computer that the user logs onto. For instance if you
>> >> configured
>> >> that Group Policy at the OU level, the computer account will need to
>> >> be
>> >> in
>> >> that OU. --- Steve
>> >>
>> >>
>> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> >> news:2B70371B-B70B-43AE-86B5-0DCBEFF34E85@microsoft.com...
>> >> >I am looking to attach a certificate to a GPO, under the Trusted Root
>> >> > Certificates so that specific users on the network who access the
>> >> > Secure
>> >> > (https) Outlook Web Agent 2003, will already have the certifiacte
>> >> > installed,
>> >> > and not have to answer yes to a certificate question each time the
>> >> > browser
>> >> > access the website on the exchange server.
>> >> >
>> >> > My attempt has been this, accessed the server and installed the
>> >> > certificate,
>> >> > then I exported the certificate as p7b...I then could mannually go
>> >> > to
>> >> > other
>> >> > machines and import the certificate, but do not want to do that over
>> >> > the
>> >> > enterprise.
>> >> >
>> >> > I created a GPO based on this link:
>> >> > "http://www.microsoft.com/windows2000/techinfo/planning/..."
>> >> > I applied the policy only to my test user that I created, yet the
>> >> > certificate is never installed as I would have expected it. I
>> >> > suspect
>> >> > that I
>> >> > have missed something, but can't put my finger on it.
>> >> >
>> >> > Any ideas?
>> >> > J
>> >>
>> >>
>> >>
>>
>>
>>
Anonymous
February 15, 2005 4:24:16 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Okay, so that kind of leads me back to my original issue, I have created a
Domain level GPO called Mail, in order to test this. The GPO has defined in
it, the Trusted Root Certificate that I want specific machines to have
installed on it. I removed the Authenticated Users from the Security of the
GPO, and added my Test user for the User portion of the policy, and I have
added a specific computer by browsing to it. For both I have selected the
options to Apply and Read the GPO.

According to what I have read, when the machine reboots, or at the poling
intervul of 90 minutes I think it was, the computer should pick up and apply
the policy. I think I am seeing it work during a reboot, but not the poling.
I just tested this. Now, this brings me back to one of my original
questions too, asside from having to add each computer as an object to the
Security to Apply, can I add the machines to the same User Group and then
Apply (Filter) the security on that Group. In this situation this solution
seems to be the fastest since I would not have to apply a GPO to each OU that
the computers were a part of.

On the second method - just to clarify, if I already have my computers
assigned to each OU for their respective locations, I would just have to
apply my GPO with the Authenticated Users in the Security by default, to
enforce the Computer Config on the machines in that OU? Is this also correct.

Thanks for the patient responses.



"Steven L Umbach" wrote:

> You have two options. Either put all the computers in an OU, which could be
> a child OU of an existing OU so that all parent OU computer configuration
> settings still can apply to computers in the child OU unless the child OU
> has same defined settings which will override same defined settings at
> parent level, or filter a Group Policy that would apply to computers so that
> the "apply" permission has only the global groups that contain computers
> that you want the Group Policy computer configuration to apply to. Ether way
> the computers must be within the scope of influence of the Group Policy. The
> link below may help if you have not seen it yet. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;322176
>
> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> news:72BDC33D-EDFB-4BBE-A814-4BD1595958C1@microsoft.com...
> > So Steve - back to my original question, since my model is small, it is my
> > understanding that I can "filter" a particular GPO from the Domain Level
> > to
> > apply only to specific user groups that I have created. (I base that
> > statement on Chapter 4 - How Group Policy Works in the Windows 2000 Server
> > doc, on the Technet CD.)
> >
> > "Administrators can overcome this problem by organizing users and
> > computers
> > into security groups, and then using these groups to filter the impact of
> > Group Policy.
> >
> > The IT department can create groups based on the tasks that their users
> > perform, the degree of authority users have to modify their own or other
> > computers, and the configurations that users need to have. For example,
> > the
> > IT department could accomplish their goal by creating a security group
> > just
> > for vice presidents. This can greatly simplify the process of
> > administering
> > users with disparate configuration and permission requirements. Therefore,
> > in
> > Figure 4.4, the vice presidents' security group might prevent the domain
> > level GPO (GPO 2) from applying to vice presidents in the Headquarters and
> > Marketing OUs. "
> >
> > Based on that, if were to create a domain GPO, and filter based 3 specific
> > groups to apply, and if in those groups I assigned the computers that were
> > part of each group...would the Computer Configuration be pushed to the
> > machines, based on the imported Root Certificate?
> >
> > Thanks
> > J
> >
> >
> >
> > "Steven L Umbach" wrote:
> >
> >> It is computer configuration which means that the policy is non user
> >> specific and will apply to all users that logon to that computer. You can
> >> not filter computer configuration policy be user but you could for
> >> specific
> >> computers or a global group that computers are a member of. I can't think
> >> of
> >> a work around offhand to have it work for specific users. --- Steve
> >>
> >>
> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> news:22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com...
> >> > Thanks, so barring adding each computer to the policy where I think a
> >> > user
> >> > might log into, would this work: Adding the Computers to the Groups in
> >> > which
> >> > the policy is applied to. So that an OU called "Shipping Department"
> >> > has
> >> > a
> >> > group assigned to it called "Shipping". Members of the Shipping group
> >> > are
> >> > user1 and user2. A policy is created with Permissions to apply a
> >> > Trusted
> >> > Root Certificate to the Shipping Group, which would install the
> >> > certificate I
> >> > want but only for those particular users. Am I correct in saying that
> >> > I
> >> > should just add the computers that are physically located in the
> >> > Shipping
> >> > Department to the group Shipping, so that all Computer Policies are
> >> > applied
> >> > to the machine?
> >> >
> >> > I kind of thought that the computer policies would apply to the
> >> > computer
> >> > that a particular user logged into, not the a specific computer? Can
> >> > we
> >> > verify this? That link that I included for accomplishing these steps,
> >> > said
> >> > nothing about adding specific users, in fact it was a Default Domain
> >> > Policy?
> >> >
> >> > Thanks
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> That policy is "computer configuration". You will have to have that
> >> >> policy
> >> >> apply to a computer that the user logs onto. For instance if you
> >> >> configured
> >> >> that Group Policy at the OU level, the computer account will need to
> >> >> be
> >> >> in
> >> >> that OU. --- Steve
> >> >>
> >> >>
> >> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> >> news:2B70371B-B70B-43AE-86B5-0DCBEFF34E85@microsoft.com...
> >> >> >I am looking to attach a certificate to a GPO, under the Trusted Root
> >> >> > Certificates so that specific users on the network who access the
> >> >> > Secure
> >> >> > (https) Outlook Web Agent 2003, will already have the certifiacte
> >> >> > installed,
> >> >> > and not have to answer yes to a certificate question each time the
> >> >> > browser
> >> >> > access the website on the exchange server.
> >> >> >
> >> >> > My attempt has been this, accessed the server and installed the
> >> >> > certificate,
> >> >> > then I exported the certificate as p7b...I then could mannually go
> >> >> > to
> >> >> > other
> >> >> > machines and import the certificate, but do not want to do that over
> >> >> > the
> >> >> > enterprise.
> >> >> >
> >> >> > I created a GPO based on this link:
> >> >> > "http://www.microsoft.com/windows2000/techinfo/planning/..."
> >> >> > I applied the policy only to my test user that I created, yet the
> >> >> > certificate is never installed as I would have expected it. I
> >> >> > suspect
> >> >> > that I
> >> >> > have missed something, but can't put my finger on it.
> >> >> >
> >> >> > Any ideas?
> >> >> > J
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
Anonymous
February 15, 2005 4:47:24 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <431F46E5-785B-44FF-949A-B0157BE510BA@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
<Smurfman@discussions.microsoft.com> says...

> Not based on this - "The Authenticated Users group includes both users and
> computers. " See below. I think I have a pretty good working knowledge of
> how this should work, I admit, I don't know it all...but I do know that if a
> GPO is created, and the default setting for security and applying that
> security is Authenticated Users, then this will in fact apply to the computer.
>
> Give me some credit...

You don't deserve any as you clearly don't understand how this process
works. Why do you think that there is a Computer Configuration and a
User Configuration section in a GPO?

A user account will never apply the settings in the Computer
Configuration portion of a GPO. A computer account may process the User
Configuration portion of a GPO, but only when loopback processing is
enabled.

Security filtering on determines which GPOs will be processed, not the
sections in the GPO that will be processed.

You really should try to understand this before posting, you're only
digging yourself a deeper hole here.

>
> "Security Filtering
> Security filtering is a way of refining which users and computers will
> receive and apply the settings in a GPO. Using security filtering, you can
> narrow the scope of a GPO so that it applies only to a single group, user, or
> computer by specifying that only certain security principals within a
> container where the GPO is linked apply the GPO. Security filtering
> determines whether the GPO as a whole applies to groups, users, or computers;
> it cannot be used selectively on different settings within a GPO.
>
> In order for the GPO to apply to a given user or computer, that user or
> computer must have both Read and Apply Group Policy (AGP) permissions on the
> GPO, either explicitly, or effectively though group membership.
>
> By default, all GPOs have Read and AGP both Allowed for the Authenticated
> Users group. The Authenticated Users group includes both users and computers.
> This is how all authenticated users receive the settings of a new GPO when it
> is applied to an organizational unit, domain or site. Therefore, the default
> behavior is for every GPO to apply to every Authenticated User. By default,
> Domain Admins, Enterprise Admins, and the local system have full control
> permissions, without the Apply Group Policy ACE. However, administrators are
> members of Authenticated Users, which means that they will receive the
> settings in the GPO by default. "
>
> "Paul Adare" wrote:
>
> > In article <6AAFFDB5-6B9E-4CB5-BE75-9E0FB3938DE4@microsoft.com>, in the
> > microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
> > <Smurfman@discussions.microsoft.com> says...
> >
> > > By the way, you never answered my original question, rather you attacked how
> > > YOU might have done something or how you thought it should have been done.
> > >
> >
> > I didn't attack anything, you're still missing some fundamentals on how
> > Group Policy works. For example, setting in the computer configuration
> > section of a GPO are not processed when a user account processes a GPO
> > and settings in the user configuration section are not processed when a
> > computer account processes a GPO.
> >
> > I strongly suggest that you do some reading up on Group Policy.
> >
> > Have fun.
> >
> > --
> > Paul Adare
> > "On two occasions, I have been asked [by members of Parliament],
> > 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> > will the right answers come out?' I am not able to rightly apprehend
> > the kind of confusion of ideas that could provoke such a question."
> > -- Charles Babbage (1791-1871)
> >
>

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
Anonymous
February 15, 2005 4:47:25 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Basically, because one is a set of configurations changes that take place at
the HKLM level, where as the other take place at the HKCU.

Since Computers are part of the Authenticated Users, which is default, the
application to the machine (HKLM) is transparent. That is why just because
the Domain Admin by default does not have the apply setting as part of the
Security of the GPO, they are part of the Authenticated Users and will have
the policy applied.

Let me ask you, how would apply the computer settings that are part of a GPO?

"Paul Adare" wrote:

> In article <431F46E5-785B-44FF-949A-B0157BE510BA@microsoft.com>, in the
> microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
> <Smurfman@discussions.microsoft.com> says...
>
> > Not based on this - "The Authenticated Users group includes both users and
> > computers. " See below. I think I have a pretty good working knowledge of
> > how this should work, I admit, I don't know it all...but I do know that if a
> > GPO is created, and the default setting for security and applying that
> > security is Authenticated Users, then this will in fact apply to the computer.
> >
> > Give me some credit...
>
> You don't deserve any as you clearly don't understand how this process
> works. Why do you think that there is a Computer Configuration and a
> User Configuration section in a GPO?
>
> A user account will never apply the settings in the Computer
> Configuration portion of a GPO. A computer account may process the User
> Configuration portion of a GPO, but only when loopback processing is
> enabled.
>
> Security filtering on determines which GPOs will be processed, not the
> sections in the GPO that will be processed.
>
> You really should try to understand this before posting, you're only
> digging yourself a deeper hole here.
>
> >
> > "Security Filtering
> > Security filtering is a way of refining which users and computers will
> > receive and apply the settings in a GPO. Using security filtering, you can
> > narrow the scope of a GPO so that it applies only to a single group, user, or
> > computer by specifying that only certain security principals within a
> > container where the GPO is linked apply the GPO. Security filtering
> > determines whether the GPO as a whole applies to groups, users, or computers;
> > it cannot be used selectively on different settings within a GPO.
> >
> > In order for the GPO to apply to a given user or computer, that user or
> > computer must have both Read and Apply Group Policy (AGP) permissions on the
> > GPO, either explicitly, or effectively though group membership.
> >
> > By default, all GPOs have Read and AGP both Allowed for the Authenticated
> > Users group. The Authenticated Users group includes both users and computers.
> > This is how all authenticated users receive the settings of a new GPO when it
> > is applied to an organizational unit, domain or site. Therefore, the default
> > behavior is for every GPO to apply to every Authenticated User. By default,
> > Domain Admins, Enterprise Admins, and the local system have full control
> > permissions, without the Apply Group Policy ACE. However, administrators are
> > members of Authenticated Users, which means that they will receive the
> > settings in the GPO by default. "
> >
> > "Paul Adare" wrote:
> >
> > > In article <6AAFFDB5-6B9E-4CB5-BE75-9E0FB3938DE4@microsoft.com>, in the
> > > microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
> > > <Smurfman@discussions.microsoft.com> says...
> > >
> > > > By the way, you never answered my original question, rather you attacked how
> > > > YOU might have done something or how you thought it should have been done.
> > > >
> > >
> > > I didn't attack anything, you're still missing some fundamentals on how
> > > Group Policy works. For example, setting in the computer configuration
> > > section of a GPO are not processed when a user account processes a GPO
> > > and settings in the user configuration section are not processed when a
> > > computer account processes a GPO.
> > >
> > > I strongly suggest that you do some reading up on Group Policy.
> > >
> > > Have fun.
> > >
> > > --
> > > Paul Adare
> > > "On two occasions, I have been asked [by members of Parliament],
> > > 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> > > will the right answers come out?' I am not able to rightly apprehend
> > > the kind of confusion of ideas that could provoke such a question."
> > > -- Charles Babbage (1791-1871)
> > >
> >
>
> --
> Paul Adare
> "On two occasions, I have been asked [by members of Parliament],
> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> will the right answers come out?' I am not able to rightly apprehend
> the kind of confusion of ideas that could provoke such a question."
> -- Charles Babbage (1791-1871)
>
Anonymous
February 15, 2005 4:47:26 PM

Archived from groups: microsoft.public.win2000.security (More info?)

You know what forget it, I figured out what I need to do...I have it working.
And for future reference, why not offer solutions rather than attack
someone's understanding of how something works. I think I had everything in
place and just missed one step...

See ya

"Smurfman" wrote:

> Basically, because one is a set of configurations changes that take place at
> the HKLM level, where as the other take place at the HKCU.
>
> Since Computers are part of the Authenticated Users, which is default, the
> application to the machine (HKLM) is transparent. That is why just because
> the Domain Admin by default does not have the apply setting as part of the
> Security of the GPO, they are part of the Authenticated Users and will have
> the policy applied.
>
> Let me ask you, how would apply the computer settings that are part of a GPO?
>
> "Paul Adare" wrote:
>
> > In article <431F46E5-785B-44FF-949A-B0157BE510BA@microsoft.com>, in the
> > microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
> > <Smurfman@discussions.microsoft.com> says...
> >
> > > Not based on this - "The Authenticated Users group includes both users and
> > > computers. " See below. I think I have a pretty good working knowledge of
> > > how this should work, I admit, I don't know it all...but I do know that if a
> > > GPO is created, and the default setting for security and applying that
> > > security is Authenticated Users, then this will in fact apply to the computer.
> > >
> > > Give me some credit...
> >
> > You don't deserve any as you clearly don't understand how this process
> > works. Why do you think that there is a Computer Configuration and a
> > User Configuration section in a GPO?
> >
> > A user account will never apply the settings in the Computer
> > Configuration portion of a GPO. A computer account may process the User
> > Configuration portion of a GPO, but only when loopback processing is
> > enabled.
> >
> > Security filtering on determines which GPOs will be processed, not the
> > sections in the GPO that will be processed.
> >
> > You really should try to understand this before posting, you're only
> > digging yourself a deeper hole here.
> >
> > >
> > > "Security Filtering
> > > Security filtering is a way of refining which users and computers will
> > > receive and apply the settings in a GPO. Using security filtering, you can
> > > narrow the scope of a GPO so that it applies only to a single group, user, or
> > > computer by specifying that only certain security principals within a
> > > container where the GPO is linked apply the GPO. Security filtering
> > > determines whether the GPO as a whole applies to groups, users, or computers;
> > > it cannot be used selectively on different settings within a GPO.
> > >
> > > In order for the GPO to apply to a given user or computer, that user or
> > > computer must have both Read and Apply Group Policy (AGP) permissions on the
> > > GPO, either explicitly, or effectively though group membership.
> > >
> > > By default, all GPOs have Read and AGP both Allowed for the Authenticated
> > > Users group. The Authenticated Users group includes both users and computers.
> > > This is how all authenticated users receive the settings of a new GPO when it
> > > is applied to an organizational unit, domain or site. Therefore, the default
> > > behavior is for every GPO to apply to every Authenticated User. By default,
> > > Domain Admins, Enterprise Admins, and the local system have full control
> > > permissions, without the Apply Group Policy ACE. However, administrators are
> > > members of Authenticated Users, which means that they will receive the
> > > settings in the GPO by default. "
> > >
> > > "Paul Adare" wrote:
> > >
> > > > In article <6AAFFDB5-6B9E-4CB5-BE75-9E0FB3938DE4@microsoft.com>, in the
> > > > microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
> > > > <Smurfman@discussions.microsoft.com> says...
> > > >
> > > > > By the way, you never answered my original question, rather you attacked how
> > > > > YOU might have done something or how you thought it should have been done.
> > > > >
> > > >
> > > > I didn't attack anything, you're still missing some fundamentals on how
> > > > Group Policy works. For example, setting in the computer configuration
> > > > section of a GPO are not processed when a user account processes a GPO
> > > > and settings in the user configuration section are not processed when a
> > > > computer account processes a GPO.
> > > >
> > > > I strongly suggest that you do some reading up on Group Policy.
> > > >
> > > > Have fun.
> > > >
> > > > --
> > > > Paul Adare
> > > > "On two occasions, I have been asked [by members of Parliament],
> > > > 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> > > > will the right answers come out?' I am not able to rightly apprehend
> > > > the kind of confusion of ideas that could provoke such a question."
> > > > -- Charles Babbage (1791-1871)
> > > >
> > >
> >
> > --
> > Paul Adare
> > "On two occasions, I have been asked [by members of Parliament],
> > 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> > will the right answers come out?' I am not able to rightly apprehend
> > the kind of confusion of ideas that could provoke such a question."
> > -- Charles Babbage (1791-1871)
> >
Anonymous
February 15, 2005 5:25:15 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <395BA67A-9316-4316-B33D-1C8D0D72A282@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
<Smurfman@discussions.microsoft.com> says...

> Basically, because one is a set of configurations changes that take place at
> the HKLM level, where as the other take place at the HKCU.

No, this has nothing to do with it, it is simply the way Group Policy
processing works, nothing more than that. See my previous post on which
portion of a GPO is processed by computer accounts and which is
processed by user accounts.

>
> Since Computers are part of the Authenticated Users, which is default, the
> application to the machine (HKLM) is transparent. That is why just because
> the Domain Admin by default does not have the apply setting as part of the
> Security of the GPO, they are part of the Authenticated Users and will have
> the policy applied.

The above makes no sense and has no bearing on the discussion at all.

>
> Let me ask you, how would apply the computer settings that are part of a GPO?

In the context of this discussion this question makes no sense. I _know_
how Group Policy processing works.


--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
Anonymous
February 15, 2005 5:35:01 PM

Archived from groups: microsoft.public.win2000.security (More info?)

What makes sense is to have two domain global groups - one for users and one
for computers that you want the Group Policy to apply to. The user group
would only apply user configuration and the computer group to computer
configuration. You could combine them all into one global group but from an
organizational standpoint I would use separate groups. Most Group Policy is
applied at logon/startup and at the refresh interval. Note that the default
interval has a default offset of thirty minus which means it can take up to
two hours for the refresh interval to apply. You can do a manual refresh
with secedit /refreshpolicy machine_policy /enforce for Windows 2000
computers or gpupdate /force for XP/W2003 computers.

If you want to apply Group Policy to all users/computers in an OU, then
leaving authenticated users as the apply group will work fine. You can use
the support tool gpresult to see all the groups that a user or computer is
currently a member of, what Group Policy is applied to a user or computer,
and the last time it was applied.. --- Steve


"Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
news:5060DB8B-62E1-43C4-B354-267D20D87CE3@microsoft.com...
> Okay, so that kind of leads me back to my original issue, I have created a
> Domain level GPO called Mail, in order to test this. The GPO has defined
> in
> it, the Trusted Root Certificate that I want specific machines to have
> installed on it. I removed the Authenticated Users from the Security of
> the
> GPO, and added my Test user for the User portion of the policy, and I have
> added a specific computer by browsing to it. For both I have selected the
> options to Apply and Read the GPO.
>
> According to what I have read, when the machine reboots, or at the poling
> intervul of 90 minutes I think it was, the computer should pick up and
> apply
> the policy. I think I am seeing it work during a reboot, but not the
> poling.
> I just tested this. Now, this brings me back to one of my original
> questions too, asside from having to add each computer as an object to the
> Security to Apply, can I add the machines to the same User Group and then
> Apply (Filter) the security on that Group. In this situation this
> solution
> seems to be the fastest since I would not have to apply a GPO to each OU
> that
> the computers were a part of.
>
> On the second method - just to clarify, if I already have my computers
> assigned to each OU for their respective locations, I would just have to
> apply my GPO with the Authenticated Users in the Security by default, to
> enforce the Computer Config on the machines in that OU? Is this also
> correct.
>
> Thanks for the patient responses.
>
>
>
> "Steven L Umbach" wrote:
>
>> You have two options. Either put all the computers in an OU, which could
>> be
>> a child OU of an existing OU so that all parent OU computer configuration
>> settings still can apply to computers in the child OU unless the child OU
>> has same defined settings which will override same defined settings at
>> parent level, or filter a Group Policy that would apply to computers so
>> that
>> the "apply" permission has only the global groups that contain computers
>> that you want the Group Policy computer configuration to apply to. Ether
>> way
>> the computers must be within the scope of influence of the Group Policy.
>> The
>> link below may help if you have not seen it yet. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;322176
>>
>> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> news:72BDC33D-EDFB-4BBE-A814-4BD1595958C1@microsoft.com...
>> > So Steve - back to my original question, since my model is small, it is
>> > my
>> > understanding that I can "filter" a particular GPO from the Domain
>> > Level
>> > to
>> > apply only to specific user groups that I have created. (I base that
>> > statement on Chapter 4 - How Group Policy Works in the Windows 2000
>> > Server
>> > doc, on the Technet CD.)
>> >
>> > "Administrators can overcome this problem by organizing users and
>> > computers
>> > into security groups, and then using these groups to filter the impact
>> > of
>> > Group Policy.
>> >
>> > The IT department can create groups based on the tasks that their users
>> > perform, the degree of authority users have to modify their own or
>> > other
>> > computers, and the configurations that users need to have. For example,
>> > the
>> > IT department could accomplish their goal by creating a security group
>> > just
>> > for vice presidents. This can greatly simplify the process of
>> > administering
>> > users with disparate configuration and permission requirements.
>> > Therefore,
>> > in
>> > Figure 4.4, the vice presidents' security group might prevent the
>> > domain
>> > level GPO (GPO 2) from applying to vice presidents in the Headquarters
>> > and
>> > Marketing OUs. "
>> >
>> > Based on that, if were to create a domain GPO, and filter based 3
>> > specific
>> > groups to apply, and if in those groups I assigned the computers that
>> > were
>> > part of each group...would the Computer Configuration be pushed to the
>> > machines, based on the imported Root Certificate?
>> >
>> > Thanks
>> > J
>> >
>> >
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> It is computer configuration which means that the policy is non user
>> >> specific and will apply to all users that logon to that computer. You
>> >> can
>> >> not filter computer configuration policy be user but you could for
>> >> specific
>> >> computers or a global group that computers are a member of. I can't
>> >> think
>> >> of
>> >> a work around offhand to have it work for specific users. --- Steve
>> >>
>> >>
>> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> >> news:22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com...
>> >> > Thanks, so barring adding each computer to the policy where I think
>> >> > a
>> >> > user
>> >> > might log into, would this work: Adding the Computers to the Groups
>> >> > in
>> >> > which
>> >> > the policy is applied to. So that an OU called "Shipping
>> >> > Department"
>> >> > has
>> >> > a
>> >> > group assigned to it called "Shipping". Members of the Shipping
>> >> > group
>> >> > are
>> >> > user1 and user2. A policy is created with Permissions to apply a
>> >> > Trusted
>> >> > Root Certificate to the Shipping Group, which would install the
>> >> > certificate I
>> >> > want but only for those particular users. Am I correct in saying
>> >> > that
>> >> > I
>> >> > should just add the computers that are physically located in the
>> >> > Shipping
>> >> > Department to the group Shipping, so that all Computer Policies are
>> >> > applied
>> >> > to the machine?
>> >> >
>> >> > I kind of thought that the computer policies would apply to the
>> >> > computer
>> >> > that a particular user logged into, not the a specific computer?
>> >> > Can
>> >> > we
>> >> > verify this? That link that I included for accomplishing these
>> >> > steps,
>> >> > said
>> >> > nothing about adding specific users, in fact it was a Default Domain
>> >> > Policy?
>> >> >
>> >> > Thanks
>> >> >
>> >> > "Steven L Umbach" wrote:
>> >> >
>> >> >> That policy is "computer configuration". You will have to have that
>> >> >> policy
>> >> >> apply to a computer that the user logs onto. For instance if you
>> >> >> configured
>> >> >> that Group Policy at the OU level, the computer account will need
>> >> >> to
>> >> >> be
>> >> >> in
>> >> >> that OU. --- Steve
>> >> >>
>> >> >>
>> >> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> >> >> news:2B70371B-B70B-43AE-86B5-0DCBEFF34E85@microsoft.com...
>> >> >> >I am looking to attach a certificate to a GPO, under the Trusted
>> >> >> >Root
>> >> >> > Certificates so that specific users on the network who access the
>> >> >> > Secure
>> >> >> > (https) Outlook Web Agent 2003, will already have the certifiacte
>> >> >> > installed,
>> >> >> > and not have to answer yes to a certificate question each time
>> >> >> > the
>> >> >> > browser
>> >> >> > access the website on the exchange server.
>> >> >> >
>> >> >> > My attempt has been this, accessed the server and installed the
>> >> >> > certificate,
>> >> >> > then I exported the certificate as p7b...I then could mannually
>> >> >> > go
>> >> >> > to
>> >> >> > other
>> >> >> > machines and import the certificate, but do not want to do that
>> >> >> > over
>> >> >> > the
>> >> >> > enterprise.
>> >> >> >
>> >> >> > I created a GPO based on this link:
>> >> >> > "http://www.microsoft.com/windows2000/techinfo/planning/..."
>> >> >> > I applied the policy only to my test user that I created, yet the
>> >> >> > certificate is never installed as I would have expected it. I
>> >> >> > suspect
>> >> >> > that I
>> >> >> > have missed something, but can't put my finger on it.
>> >> >> >
>> >> >> > Any ideas?
>> >> >> > J
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
Anonymous
February 15, 2005 5:35:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

So for this example, create 2 Global Groups, perhaps one called Mail_Users
and the other Mail_Workstations. Then assign the users and computers to each
respective group, and use those two groups in the GPO Security settings to
Apply and then what - Assign the GPO to the Domain?. Am I following you
correctly?

Thanks

"Steven L Umbach" wrote:

> What makes sense is to have two domain global groups - one for users and one
> for computers that you want the Group Policy to apply to. The user group
> would only apply user configuration and the computer group to computer
> configuration. You could combine them all into one global group but from an
> organizational standpoint I would use separate groups. Most Group Policy is
> applied at logon/startup and at the refresh interval. Note that the default
> interval has a default offset of thirty minus which means it can take up to
> two hours for the refresh interval to apply. You can do a manual refresh
> with secedit /refreshpolicy machine_policy /enforce for Windows 2000
> computers or gpupdate /force for XP/W2003 computers.
>
> If you want to apply Group Policy to all users/computers in an OU, then
> leaving authenticated users as the apply group will work fine. You can use
> the support tool gpresult to see all the groups that a user or computer is
> currently a member of, what Group Policy is applied to a user or computer,
> and the last time it was applied.. --- Steve
>
>
> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> news:5060DB8B-62E1-43C4-B354-267D20D87CE3@microsoft.com...
> > Okay, so that kind of leads me back to my original issue, I have created a
> > Domain level GPO called Mail, in order to test this. The GPO has defined
> > in
> > it, the Trusted Root Certificate that I want specific machines to have
> > installed on it. I removed the Authenticated Users from the Security of
> > the
> > GPO, and added my Test user for the User portion of the policy, and I have
> > added a specific computer by browsing to it. For both I have selected the
> > options to Apply and Read the GPO.
> >
> > According to what I have read, when the machine reboots, or at the poling
> > intervul of 90 minutes I think it was, the computer should pick up and
> > apply
> > the policy. I think I am seeing it work during a reboot, but not the
> > poling.
> > I just tested this. Now, this brings me back to one of my original
> > questions too, asside from having to add each computer as an object to the
> > Security to Apply, can I add the machines to the same User Group and then
> > Apply (Filter) the security on that Group. In this situation this
> > solution
> > seems to be the fastest since I would not have to apply a GPO to each OU
> > that
> > the computers were a part of.
> >
> > On the second method - just to clarify, if I already have my computers
> > assigned to each OU for their respective locations, I would just have to
> > apply my GPO with the Authenticated Users in the Security by default, to
> > enforce the Computer Config on the machines in that OU? Is this also
> > correct.
> >
> > Thanks for the patient responses.
> >
> >
> >
> > "Steven L Umbach" wrote:
> >
> >> You have two options. Either put all the computers in an OU, which could
> >> be
> >> a child OU of an existing OU so that all parent OU computer configuration
> >> settings still can apply to computers in the child OU unless the child OU
> >> has same defined settings which will override same defined settings at
> >> parent level, or filter a Group Policy that would apply to computers so
> >> that
> >> the "apply" permission has only the global groups that contain computers
> >> that you want the Group Policy computer configuration to apply to. Ether
> >> way
> >> the computers must be within the scope of influence of the Group Policy.
> >> The
> >> link below may help if you have not seen it yet. --- Steve
> >>
> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;322176
> >>
> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> news:72BDC33D-EDFB-4BBE-A814-4BD1595958C1@microsoft.com...
> >> > So Steve - back to my original question, since my model is small, it is
> >> > my
> >> > understanding that I can "filter" a particular GPO from the Domain
> >> > Level
> >> > to
> >> > apply only to specific user groups that I have created. (I base that
> >> > statement on Chapter 4 - How Group Policy Works in the Windows 2000
> >> > Server
> >> > doc, on the Technet CD.)
> >> >
> >> > "Administrators can overcome this problem by organizing users and
> >> > computers
> >> > into security groups, and then using these groups to filter the impact
> >> > of
> >> > Group Policy.
> >> >
> >> > The IT department can create groups based on the tasks that their users
> >> > perform, the degree of authority users have to modify their own or
> >> > other
> >> > computers, and the configurations that users need to have. For example,
> >> > the
> >> > IT department could accomplish their goal by creating a security group
> >> > just
> >> > for vice presidents. This can greatly simplify the process of
> >> > administering
> >> > users with disparate configuration and permission requirements.
> >> > Therefore,
> >> > in
> >> > Figure 4.4, the vice presidents' security group might prevent the
> >> > domain
> >> > level GPO (GPO 2) from applying to vice presidents in the Headquarters
> >> > and
> >> > Marketing OUs. "
> >> >
> >> > Based on that, if were to create a domain GPO, and filter based 3
> >> > specific
> >> > groups to apply, and if in those groups I assigned the computers that
> >> > were
> >> > part of each group...would the Computer Configuration be pushed to the
> >> > machines, based on the imported Root Certificate?
> >> >
> >> > Thanks
> >> > J
> >> >
> >> >
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> It is computer configuration which means that the policy is non user
> >> >> specific and will apply to all users that logon to that computer. You
> >> >> can
> >> >> not filter computer configuration policy be user but you could for
> >> >> specific
> >> >> computers or a global group that computers are a member of. I can't
> >> >> think
> >> >> of
> >> >> a work around offhand to have it work for specific users. --- Steve
> >> >>
> >> >>
> >> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> >> news:22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com...
> >> >> > Thanks, so barring adding each computer to the policy where I think
> >> >> > a
> >> >> > user
> >> >> > might log into, would this work: Adding the Computers to the Groups
> >> >> > in
> >> >> > which
> >> >> > the policy is applied to. So that an OU called "Shipping
> >> >> > Department"
> >> >> > has
> >> >> > a
> >> >> > group assigned to it called "Shipping". Members of the Shipping
> >> >> > group
> >> >> > are
> >> >> > user1 and user2. A policy is created with Permissions to apply a
> >> >> > Trusted
> >> >> > Root Certificate to the Shipping Group, which would install the
> >> >> > certificate I
> >> >> > want but only for those particular users. Am I correct in saying
> >> >> > that
> >> >> > I
> >> >> > should just add the computers that are physically located in the
> >> >> > Shipping
> >> >> > Department to the group Shipping, so that all Computer Policies are
> >> >> > applied
> >> >> > to the machine?
> >> >> >
> >> >> > I kind of thought that the computer policies would apply to the
> >> >> > computer
> >> >> > that a particular user logged into, not the a specific computer?
> >> >> > Can
> >> >> > we
> >> >> > verify this? That link that I included for accomplishing these
> >> >> > steps,
> >> >> > said
> >> >> > nothing about adding specific users, in fact it was a Default Domain
> >> >> > Policy?
> >> >> >
> >> >> > Thanks
> >> >> >
> >> >> > "Steven L Umbach" wrote:
> >> >> >
> >> >> >> That policy is "computer configuration". You will have to have that
> >> >> >> policy
> >> >> >> apply to a computer that the user logs onto. For instance if you
> >> >> >> configured
> >> >> >> that Group Policy at the OU level, the computer account will need
> >> >> >> to
> >> >> >> be
> >> >> >> in
> >> >> >> that OU. --- Steve
> >> >> >>
> >> >> >>
> >> >> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> >> >> news:2B70371B-B70B-43AE-86B5-0DCBEFF34E85@microsoft.com...
> >> >> >> >I am looking to attach a certificate to a GPO, under the Trusted
> >> >> >> >Root
> >> >> >> > Certificates so that specific users on the network who access the
> >> >> >> > Secure
> >> >> >> > (https) Outlook Web Agent 2003, will already have the certifiacte
> >> >> >> > installed,
> >> >> >> > and not have to answer yes to a certificate question each time
> >> >> >> > the
> >> >> >> > browser
> >> >> >> > access the website on the exchange server.
> >> >> >> >
> >> >> >> > My attempt has been this, accessed the server and installed the
> >> >> >> > certificate,
> >> >> >> > then I exported the certificate as p7b...I then could mannually
> >> >> >> > go
> >> >> >> > to
> >> >> >> > other
> >> >> >> > machines and import the certificate, but do not want to do that
> >> >> >> > over
> >> >> >> > the
> >> >> >> > enterprise.
> >> >> >> >
> >> >> >> > I created a GPO based on this link:
> >> >> >> > "http://www.microsoft.com/windows2000/techinfo/planning/..."
> >> >> >> > I applied the policy only to my test user that I created, yet the
> >> >> >> > certificate is never installed as I would have expected it. I
> >> >> >> > suspect
> >> >> >> > that I
> >> >> >> > have missed something, but can't put my finger on it.
> >> >> >> >
> >> >> >> > Any ideas?
> >> >> >> > J
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
Anonymous
February 15, 2005 7:57:15 PM

Archived from groups: microsoft.public.win2000.security (More info?)

That should work fine with the GPO at the domain level. --- Steve

"Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
news:A340D0EB-BB20-41E7-8478-42D257B72CBF@microsoft.com...
> So for this example, create 2 Global Groups, perhaps one called Mail_Users
> and the other Mail_Workstations. Then assign the users and computers to
> each
> respective group, and use those two groups in the GPO Security settings to
> Apply and then what - Assign the GPO to the Domain?. Am I following you
> correctly?
>
> Thanks
>
> "Steven L Umbach" wrote:
>
>> What makes sense is to have two domain global groups - one for users and
>> one
>> for computers that you want the Group Policy to apply to. The user group
>> would only apply user configuration and the computer group to computer
>> configuration. You could combine them all into one global group but from
>> an
>> organizational standpoint I would use separate groups. Most Group Policy
>> is
>> applied at logon/startup and at the refresh interval. Note that the
>> default
>> interval has a default offset of thirty minus which means it can take up
>> to
>> two hours for the refresh interval to apply. You can do a manual refresh
>> with secedit /refreshpolicy machine_policy /enforce for Windows 2000
>> computers or gpupdate /force for XP/W2003 computers.
>>
>> If you want to apply Group Policy to all users/computers in an OU, then
>> leaving authenticated users as the apply group will work fine. You can
>> use
>> the support tool gpresult to see all the groups that a user or computer
>> is
>> currently a member of, what Group Policy is applied to a user or
>> computer,
>> and the last time it was applied.. --- Steve
>>
>>
>> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> news:5060DB8B-62E1-43C4-B354-267D20D87CE3@microsoft.com...
>> > Okay, so that kind of leads me back to my original issue, I have
>> > created a
>> > Domain level GPO called Mail, in order to test this. The GPO has
>> > defined
>> > in
>> > it, the Trusted Root Certificate that I want specific machines to have
>> > installed on it. I removed the Authenticated Users from the Security
>> > of
>> > the
>> > GPO, and added my Test user for the User portion of the policy, and I
>> > have
>> > added a specific computer by browsing to it. For both I have selected
>> > the
>> > options to Apply and Read the GPO.
>> >
>> > According to what I have read, when the machine reboots, or at the
>> > poling
>> > intervul of 90 minutes I think it was, the computer should pick up and
>> > apply
>> > the policy. I think I am seeing it work during a reboot, but not the
>> > poling.
>> > I just tested this. Now, this brings me back to one of my original
>> > questions too, asside from having to add each computer as an object to
>> > the
>> > Security to Apply, can I add the machines to the same User Group and
>> > then
>> > Apply (Filter) the security on that Group. In this situation this
>> > solution
>> > seems to be the fastest since I would not have to apply a GPO to each
>> > OU
>> > that
>> > the computers were a part of.
>> >
>> > On the second method - just to clarify, if I already have my computers
>> > assigned to each OU for their respective locations, I would just have
>> > to
>> > apply my GPO with the Authenticated Users in the Security by default,
>> > to
>> > enforce the Computer Config on the machines in that OU? Is this also
>> > correct.
>> >
>> > Thanks for the patient responses.
>> >
>> >
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> You have two options. Either put all the computers in an OU, which
>> >> could
>> >> be
>> >> a child OU of an existing OU so that all parent OU computer
>> >> configuration
>> >> settings still can apply to computers in the child OU unless the child
>> >> OU
>> >> has same defined settings which will override same defined settings at
>> >> parent level, or filter a Group Policy that would apply to computers
>> >> so
>> >> that
>> >> the "apply" permission has only the global groups that contain
>> >> computers
>> >> that you want the Group Policy computer configuration to apply to.
>> >> Ether
>> >> way
>> >> the computers must be within the scope of influence of the Group
>> >> Policy.
>> >> The
>> >> link below may help if you have not seen it yet. --- Steve
>> >>
>> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;322176
>> >>
>> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> >> news:72BDC33D-EDFB-4BBE-A814-4BD1595958C1@microsoft.com...
>> >> > So Steve - back to my original question, since my model is small, it
>> >> > is
>> >> > my
>> >> > understanding that I can "filter" a particular GPO from the Domain
>> >> > Level
>> >> > to
>> >> > apply only to specific user groups that I have created. (I base
>> >> > that
>> >> > statement on Chapter 4 - How Group Policy Works in the Windows 2000
>> >> > Server
>> >> > doc, on the Technet CD.)
>> >> >
>> >> > "Administrators can overcome this problem by organizing users and
>> >> > computers
>> >> > into security groups, and then using these groups to filter the
>> >> > impact
>> >> > of
>> >> > Group Policy.
>> >> >
>> >> > The IT department can create groups based on the tasks that their
>> >> > users
>> >> > perform, the degree of authority users have to modify their own or
>> >> > other
>> >> > computers, and the configurations that users need to have. For
>> >> > example,
>> >> > the
>> >> > IT department could accomplish their goal by creating a security
>> >> > group
>> >> > just
>> >> > for vice presidents. This can greatly simplify the process of
>> >> > administering
>> >> > users with disparate configuration and permission requirements.
>> >> > Therefore,
>> >> > in
>> >> > Figure 4.4, the vice presidents' security group might prevent the
>> >> > domain
>> >> > level GPO (GPO 2) from applying to vice presidents in the
>> >> > Headquarters
>> >> > and
>> >> > Marketing OUs. "
>> >> >
>> >> > Based on that, if were to create a domain GPO, and filter based 3
>> >> > specific
>> >> > groups to apply, and if in those groups I assigned the computers
>> >> > that
>> >> > were
>> >> > part of each group...would the Computer Configuration be pushed to
>> >> > the
>> >> > machines, based on the imported Root Certificate?
>> >> >
>> >> > Thanks
>> >> > J
>> >> >
>> >> >
>> >> >
>> >> > "Steven L Umbach" wrote:
>> >> >
>> >> >> It is computer configuration which means that the policy is non
>> >> >> user
>> >> >> specific and will apply to all users that logon to that computer.
>> >> >> You
>> >> >> can
>> >> >> not filter computer configuration policy be user but you could for
>> >> >> specific
>> >> >> computers or a global group that computers are a member of. I can't
>> >> >> think
>> >> >> of
>> >> >> a work around offhand to have it work for specific users. --- Steve
>> >> >>
>> >> >>
>> >> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> >> >> news:22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com...
>> >> >> > Thanks, so barring adding each computer to the policy where I
>> >> >> > think
>> >> >> > a
>> >> >> > user
>> >> >> > might log into, would this work: Adding the Computers to the
>> >> >> > Groups
>> >> >> > in
>> >> >> > which
>> >> >> > the policy is applied to. So that an OU called "Shipping
>> >> >> > Department"
>> >> >> > has
>> >> >> > a
>> >> >> > group assigned to it called "Shipping". Members of the Shipping
>> >> >> > group
>> >> >> > are
>> >> >> > user1 and user2. A policy is created with Permissions to apply a
>> >> >> > Trusted
>> >> >> > Root Certificate to the Shipping Group, which would install the
>> >> >> > certificate I
>> >> >> > want but only for those particular users. Am I correct in saying
>> >> >> > that
>> >> >> > I
>> >> >> > should just add the computers that are physically located in the
>> >> >> > Shipping
>> >> >> > Department to the group Shipping, so that all Computer Policies
>> >> >> > are
>> >> >> > applied
>> >> >> > to the machine?
>> >> >> >
>> >> >> > I kind of thought that the computer policies would apply to the
>> >> >> > computer
>> >> >> > that a particular user logged into, not the a specific computer?
>> >> >> > Can
>> >> >> > we
>> >> >> > verify this? That link that I included for accomplishing these
>> >> >> > steps,
>> >> >> > said
>> >> >> > nothing about adding specific users, in fact it was a Default
>> >> >> > Domain
>> >> >> > Policy?
>> >> >> >
>> >> >> > Thanks
>> >> >> >
>> >> >> > "Steven L Umbach" wrote:
>> >> >> >
>> >> >> >> That policy is "computer configuration". You will have to have
>> >> >> >> that
>> >> >> >> policy
>> >> >> >> apply to a computer that the user logs onto. For instance if you
>> >> >> >> configured
>> >> >> >> that Group Policy at the OU level, the computer account will
>> >> >> >> need
>> >> >> >> to
>> >> >> >> be
>> >> >> >> in
>> >> >> >> that OU. --- Steve
>> >> >> >>
>> >> >> >>
>> >> >> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> >> >> >> news:2B70371B-B70B-43AE-86B5-0DCBEFF34E85@microsoft.com...
>> >> >> >> >I am looking to attach a certificate to a GPO, under the
>> >> >> >> >Trusted
>> >> >> >> >Root
>> >> >> >> > Certificates so that specific users on the network who access
>> >> >> >> > the
>> >> >> >> > Secure
>> >> >> >> > (https) Outlook Web Agent 2003, will already have the
>> >> >> >> > certifiacte
>> >> >> >> > installed,
>> >> >> >> > and not have to answer yes to a certificate question each time
>> >> >> >> > the
>> >> >> >> > browser
>> >> >> >> > access the website on the exchange server.
>> >> >> >> >
>> >> >> >> > My attempt has been this, accessed the server and installed
>> >> >> >> > the
>> >> >> >> > certificate,
>> >> >> >> > then I exported the certificate as p7b...I then could
>> >> >> >> > mannually
>> >> >> >> > go
>> >> >> >> > to
>> >> >> >> > other
>> >> >> >> > machines and import the certificate, but do not want to do
>> >> >> >> > that
>> >> >> >> > over
>> >> >> >> > the
>> >> >> >> > enterprise.
>> >> >> >> >
>> >> >> >> > I created a GPO based on this link:
>> >> >> >> > "http://www.microsoft.com/windows2000/techinfo/planning/..."
>> >> >> >> > I applied the policy only to my test user that I created, yet
>> >> >> >> > the
>> >> >> >> > certificate is never installed as I would have expected it. I
>> >> >> >> > suspect
>> >> >> >> > that I
>> >> >> >> > have missed something, but can't put my finger on it.
>> >> >> >> >
>> >> >> >> > Any ideas?
>> >> >> >> > J
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
Anonymous
February 16, 2005 6:27:19 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <gsGdnUQ-Y5-o44_fRVn-og@comcast.com>, in the
microsoft.public.win2000.security news group, Steven L Umbach <n9rou@n0-
spam-for-me-comcast.net> says...

> That should work fine with the GPO at the domain level. --- Steve
>
> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> news:A340D0EB-BB20-41E7-8478-42D257B72CBF@microsoft.com...
> > So for this example, create 2 Global Groups, perhaps one called Mail_Users
> > and the other Mail_Workstations. Then assign the users and computers to
> > each
> > respective group, and use those two groups in the GPO Security settings to
> > Apply and then what - Assign the GPO to the Domain?. Am I following you
> > correctly?
>

If all the OP is trying to do here is to push the required root
certificate out however, there is no need for the Mail_Users group at
all. Since the Public Key policy settings are in the Computer
Configuration section of the GPO, that section will _never_ be processed
by user. Giving them permissions on a GPO that they will never process
doesn't accomplish anything. In fact, as a best practice, if a GPO
contains _only_ user or _only_ computer settings processing of the empty
section of the GPO should be disabled for performance reasons. No point
processing a GPO that doesn't contain settings that will be applied.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
Anonymous
February 16, 2005 9:31:04 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Actually that was not the only thing I was trying to accomplish. There are
specific user configurations that I will be performing as well. But my whole
issue was that When I removed Authenticated Users from the default setting
for the Apply of the GPO, the computer configuration was not applied, when I
used this GPO at the domain level, since Domain Computers are a member of
Authenticated Users, other GPO's that I made computer config changes to,
worked just fine. Once I modified a group to include the specific computers
that would get this particular config, and applied it to the GPO (filter)
everything worked like a charm.

I do have another question, raised by your comment below. I notice there
are options for the GPO to Disable User or Computer Configuration Settings.
When I have a policy (not this one), that has Authenticated Users as the
default, and I have left this setting as is, but made no comptuer changes -
is it safe to assume that the computer configuration is skipped - or in a
domain of less than 50 users, do I care? Is performance really a concern?

"Paul Adare" wrote:

> In article <gsGdnUQ-Y5-o44_fRVn-og@comcast.com>, in the
> microsoft.public.win2000.security news group, Steven L Umbach <n9rou@n0-
> spam-for-me-comcast.net> says...
>
> > That should work fine with the GPO at the domain level. --- Steve
> >
> > "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> > news:A340D0EB-BB20-41E7-8478-42D257B72CBF@microsoft.com...
> > > So for this example, create 2 Global Groups, perhaps one called Mail_Users
> > > and the other Mail_Workstations. Then assign the users and computers to
> > > each
> > > respective group, and use those two groups in the GPO Security settings to
> > > Apply and then what - Assign the GPO to the Domain?. Am I following you
> > > correctly?
> >
>
> If all the OP is trying to do here is to push the required root
> certificate out however, there is no need for the Mail_Users group at
> all. Since the Public Key policy settings are in the Computer
> Configuration section of the GPO, that section will _never_ be processed
> by user. Giving them permissions on a GPO that they will never process
> doesn't accomplish anything. In fact, as a best practice, if a GPO
> contains _only_ user or _only_ computer settings processing of the empty
> section of the GPO should be disabled for performance reasons. No point
> processing a GPO that doesn't contain settings that will be applied.
>
> --
> Paul Adare
> "On two occasions, I have been asked [by members of Parliament],
> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> will the right answers come out?' I am not able to rightly apprehend
> the kind of confusion of ideas that could provoke such a question."
> -- Charles Babbage (1791-1871)
>
Anonymous
February 16, 2005 11:43:15 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If you have a Group Policy where no computer configuration is defined it
makes sense to disable the computer part of the Group Policy. Just keep in
mind that it is disabled because we tend to forget such as time goes on and
someday if you do define a computer configuration setting it obviously will
not work until you enable the computer configuration portion of the Group
Policy. If you are using Group Policy Management console [via an XP Pro
domain computer for W2K domain] it will be easier to see such. --- Steve

http://www.microsoft.com/windowsserver2003/gpmc/default...

"Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
news:6B79FBDD-B636-494B-AD5E-8A16C31A243A@microsoft.com...
> Actually that was not the only thing I was trying to accomplish. There
> are
> specific user configurations that I will be performing as well. But my
> whole
> issue was that When I removed Authenticated Users from the default setting
> for the Apply of the GPO, the computer configuration was not applied, when
> I
> used this GPO at the domain level, since Domain Computers are a member of
> Authenticated Users, other GPO's that I made computer config changes to,
> worked just fine. Once I modified a group to include the specific
> computers
> that would get this particular config, and applied it to the GPO (filter)
> everything worked like a charm.
>
> I do have another question, raised by your comment below. I notice there
> are options for the GPO to Disable User or Computer Configuration
> Settings.
> When I have a policy (not this one), that has Authenticated Users as the
> default, and I have left this setting as is, but made no comptuer
> changes -
> is it safe to assume that the computer configuration is skipped - or in a
> domain of less than 50 users, do I care? Is performance really a concern?
>
> "Paul Adare" wrote:
>
>> In article <gsGdnUQ-Y5-o44_fRVn-og@comcast.com>, in the
>> microsoft.public.win2000.security news group, Steven L Umbach <n9rou@n0-
>> spam-for-me-comcast.net> says...
>>
>> > That should work fine with the GPO at the domain level. --- Steve
>> >
>> > "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> > news:A340D0EB-BB20-41E7-8478-42D257B72CBF@microsoft.com...
>> > > So for this example, create 2 Global Groups, perhaps one called
>> > > Mail_Users
>> > > and the other Mail_Workstations. Then assign the users and computers
>> > > to
>> > > each
>> > > respective group, and use those two groups in the GPO Security
>> > > settings to
>> > > Apply and then what - Assign the GPO to the Domain?. Am I following
>> > > you
>> > > correctly?
>> >
>>
>> If all the OP is trying to do here is to push the required root
>> certificate out however, there is no need for the Mail_Users group at
>> all. Since the Public Key policy settings are in the Computer
>> Configuration section of the GPO, that section will _never_ be processed
>> by user. Giving them permissions on a GPO that they will never process
>> doesn't accomplish anything. In fact, as a best practice, if a GPO
>> contains _only_ user or _only_ computer settings processing of the empty
>> section of the GPO should be disabled for performance reasons. No point
>> processing a GPO that doesn't contain settings that will be applied.
>>
>> --
>> Paul Adare
>> "On two occasions, I have been asked [by members of Parliament],
>> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
>> will the right answers come out?' I am not able to rightly apprehend
>> the kind of confusion of ideas that could provoke such a question."
>> -- Charles Babbage (1791-1871)
>>
Anonymous
February 17, 2005 8:51:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Steve, I actually install and start playing around with the GPMC SP1
yesterday. I posted an issue with the tool on another board, but in short I
can run the tool by browsing to it in Admin tools, but if I attempt to add
the tool as a snap-in to my custom mmc console, a Microsoft error is
generated, and the console crashes. I get the same results when I attempt to
add the Exchange 2003 snap-in for System Manager, the console crashes and I
can't add it. However, once again if I browse to it and run it, works fine.
Ever heard of that behaviour?

Thanks again.


"Steven L Umbach" wrote:

> If you have a Group Policy where no computer configuration is defined it
> makes sense to disable the computer part of the Group Policy. Just keep in
> mind that it is disabled because we tend to forget such as time goes on and
> someday if you do define a computer configuration setting it obviously will
> not work until you enable the computer configuration portion of the Group
> Policy. If you are using Group Policy Management console [via an XP Pro
> domain computer for W2K domain] it will be easier to see such. --- Steve
>
> http://www.microsoft.com/windowsserver2003/gpmc/default...
>
> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> news:6B79FBDD-B636-494B-AD5E-8A16C31A243A@microsoft.com...
> > Actually that was not the only thing I was trying to accomplish. There
> > are
> > specific user configurations that I will be performing as well. But my
> > whole
> > issue was that When I removed Authenticated Users from the default setting
> > for the Apply of the GPO, the computer configuration was not applied, when
> > I
> > used this GPO at the domain level, since Domain Computers are a member of
> > Authenticated Users, other GPO's that I made computer config changes to,
> > worked just fine. Once I modified a group to include the specific
> > computers
> > that would get this particular config, and applied it to the GPO (filter)
> > everything worked like a charm.
> >
> > I do have another question, raised by your comment below. I notice there
> > are options for the GPO to Disable User or Computer Configuration
> > Settings.
> > When I have a policy (not this one), that has Authenticated Users as the
> > default, and I have left this setting as is, but made no comptuer
> > changes -
> > is it safe to assume that the computer configuration is skipped - or in a
> > domain of less than 50 users, do I care? Is performance really a concern?
> >
> > "Paul Adare" wrote:
> >
> >> In article <gsGdnUQ-Y5-o44_fRVn-og@comcast.com>, in the
> >> microsoft.public.win2000.security news group, Steven L Umbach <n9rou@n0-
> >> spam-for-me-comcast.net> says...
> >>
> >> > That should work fine with the GPO at the domain level. --- Steve
> >> >
> >> > "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> > news:A340D0EB-BB20-41E7-8478-42D257B72CBF@microsoft.com...
> >> > > So for this example, create 2 Global Groups, perhaps one called
> >> > > Mail_Users
> >> > > and the other Mail_Workstations. Then assign the users and computers
> >> > > to
> >> > > each
> >> > > respective group, and use those two groups in the GPO Security
> >> > > settings to
> >> > > Apply and then what - Assign the GPO to the Domain?. Am I following
> >> > > you
> >> > > correctly?
> >> >
> >>
> >> If all the OP is trying to do here is to push the required root
> >> certificate out however, there is no need for the Mail_Users group at
> >> all. Since the Public Key policy settings are in the Computer
> >> Configuration section of the GPO, that section will _never_ be processed
> >> by user. Giving them permissions on a GPO that they will never process
> >> doesn't accomplish anything. In fact, as a best practice, if a GPO
> >> contains _only_ user or _only_ computer settings processing of the empty
> >> section of the GPO should be disabled for performance reasons. No point
> >> processing a GPO that doesn't contain settings that will be applied.
> >>
> >> --
> >> Paul Adare
> >> "On two occasions, I have been asked [by members of Parliament],
> >> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> >> will the right answers come out?' I am not able to rightly apprehend
> >> the kind of confusion of ideas that could provoke such a question."
> >> -- Charles Babbage (1791-1871)
> >>
>
>
>
Anonymous
February 17, 2005 5:05:50 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hmm. I can't help with that as I have never experienced it. I don't use it
as a mmc snapin, I just run it from Administrative Tools. --- Steve


"Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
news:C18EA64A-F4B7-4776-9EB2-F7A27A0267AA@microsoft.com...
> Thanks Steve, I actually install and start playing around with the GPMC
> SP1
> yesterday. I posted an issue with the tool on another board, but in short
> I
> can run the tool by browsing to it in Admin tools, but if I attempt to
> add
> the tool as a snap-in to my custom mmc console, a Microsoft error is
> generated, and the console crashes. I get the same results when I attempt
> to
> add the Exchange 2003 snap-in for System Manager, the console crashes and
> I
> can't add it. However, once again if I browse to it and run it, works
> fine.
> Ever heard of that behaviour?
>
> Thanks again.
>
>
> "Steven L Umbach" wrote:
>
>> If you have a Group Policy where no computer configuration is defined it
>> makes sense to disable the computer part of the Group Policy. Just keep
>> in
>> mind that it is disabled because we tend to forget such as time goes on
>> and
>> someday if you do define a computer configuration setting it obviously
>> will
>> not work until you enable the computer configuration portion of the Group
>> Policy. If you are using Group Policy Management console [via an XP Pro
>> domain computer for W2K domain] it will be easier to see such. --- Steve
>>
>> http://www.microsoft.com/windowsserver2003/gpmc/default...
>>
>> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> news:6B79FBDD-B636-494B-AD5E-8A16C31A243A@microsoft.com...
>> > Actually that was not the only thing I was trying to accomplish. There
>> > are
>> > specific user configurations that I will be performing as well. But my
>> > whole
>> > issue was that When I removed Authenticated Users from the default
>> > setting
>> > for the Apply of the GPO, the computer configuration was not applied,
>> > when
>> > I
>> > used this GPO at the domain level, since Domain Computers are a member
>> > of
>> > Authenticated Users, other GPO's that I made computer config changes
>> > to,
>> > worked just fine. Once I modified a group to include the specific
>> > computers
>> > that would get this particular config, and applied it to the GPO
>> > (filter)
>> > everything worked like a charm.
>> >
>> > I do have another question, raised by your comment below. I notice
>> > there
>> > are options for the GPO to Disable User or Computer Configuration
>> > Settings.
>> > When I have a policy (not this one), that has Authenticated Users as
>> > the
>> > default, and I have left this setting as is, but made no comptuer
>> > changes -
>> > is it safe to assume that the computer configuration is skipped - or in
>> > a
>> > domain of less than 50 users, do I care? Is performance really a
>> > concern?
>> >
>> > "Paul Adare" wrote:
>> >
>> >> In article <gsGdnUQ-Y5-o44_fRVn-og@comcast.com>, in the
>> >> microsoft.public.win2000.security news group, Steven L Umbach
>> >> <n9rou@n0-
>> >> spam-for-me-comcast.net> says...
>> >>
>> >> > That should work fine with the GPO at the domain level. --- Steve
>> >> >
>> >> > "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> >> > news:A340D0EB-BB20-41E7-8478-42D257B72CBF@microsoft.com...
>> >> > > So for this example, create 2 Global Groups, perhaps one called
>> >> > > Mail_Users
>> >> > > and the other Mail_Workstations. Then assign the users and
>> >> > > computers
>> >> > > to
>> >> > > each
>> >> > > respective group, and use those two groups in the GPO Security
>> >> > > settings to
>> >> > > Apply and then what - Assign the GPO to the Domain?. Am I
>> >> > > following
>> >> > > you
>> >> > > correctly?
>> >> >
>> >>
>> >> If all the OP is trying to do here is to push the required root
>> >> certificate out however, there is no need for the Mail_Users group at
>> >> all. Since the Public Key policy settings are in the Computer
>> >> Configuration section of the GPO, that section will _never_ be
>> >> processed
>> >> by user. Giving them permissions on a GPO that they will never process
>> >> doesn't accomplish anything. In fact, as a best practice, if a GPO
>> >> contains _only_ user or _only_ computer settings processing of the
>> >> empty
>> >> section of the GPO should be disabled for performance reasons. No
>> >> point
>> >> processing a GPO that doesn't contain settings that will be applied.
>> >>
>> >> --
>> >> Paul Adare
>> >> "On two occasions, I have been asked [by members of Parliament],
>> >> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
>> >> will the right answers come out?' I am not able to rightly apprehend
>> >> the kind of confusion of ideas that could provoke such a question."
>> >> -- Charles Babbage (1791-1871)
>> >>
>>
>>
>>
Anonymous
February 17, 2005 5:05:51 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Steve, I posted the behavior in the Exchange.Misc board, I think right
next to "fat chance of anyone having the same issue"...thanks a ton for all
of your help on this one here. I posted a Group Policy post related to the
fact that not all of my machines in the Group are taking the policy, about
half of them, and several of them only after I reboot...the whole 90-120
minute thing for computers poling and getting a new machine policy is not
working...if you had any thoughts on that the post is over there in
Win2000.Group Policy...

Thanks
J

"Steven L Umbach" wrote:

> Hmm. I can't help with that as I have never experienced it. I don't use it
> as a mmc snapin, I just run it from Administrative Tools. --- Steve
>
>
> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> news:C18EA64A-F4B7-4776-9EB2-F7A27A0267AA@microsoft.com...
> > Thanks Steve, I actually install and start playing around with the GPMC
> > SP1
> > yesterday. I posted an issue with the tool on another board, but in short
> > I
> > can run the tool by browsing to it in Admin tools, but if I attempt to
> > add
> > the tool as a snap-in to my custom mmc console, a Microsoft error is
> > generated, and the console crashes. I get the same results when I attempt
> > to
> > add the Exchange 2003 snap-in for System Manager, the console crashes and
> > I
> > can't add it. However, once again if I browse to it and run it, works
> > fine.
> > Ever heard of that behaviour?
> >
> > Thanks again.
> >
> >
> > "Steven L Umbach" wrote:
> >
> >> If you have a Group Policy where no computer configuration is defined it
> >> makes sense to disable the computer part of the Group Policy. Just keep
> >> in
> >> mind that it is disabled because we tend to forget such as time goes on
> >> and
> >> someday if you do define a computer configuration setting it obviously
> >> will
> >> not work until you enable the computer configuration portion of the Group
> >> Policy. If you are using Group Policy Management console [via an XP Pro
> >> domain computer for W2K domain] it will be easier to see such. --- Steve
> >>
> >> http://www.microsoft.com/windowsserver2003/gpmc/default...
> >>
> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> news:6B79FBDD-B636-494B-AD5E-8A16C31A243A@microsoft.com...
> >> > Actually that was not the only thing I was trying to accomplish. There
> >> > are
> >> > specific user configurations that I will be performing as well. But my
> >> > whole
> >> > issue was that When I removed Authenticated Users from the default
> >> > setting
> >> > for the Apply of the GPO, the computer configuration was not applied,
> >> > when
> >> > I
> >> > used this GPO at the domain level, since Domain Computers are a member
> >> > of
> >> > Authenticated Users, other GPO's that I made computer config changes
> >> > to,
> >> > worked just fine. Once I modified a group to include the specific
> >> > computers
> >> > that would get this particular config, and applied it to the GPO
> >> > (filter)
> >> > everything worked like a charm.
> >> >
> >> > I do have another question, raised by your comment below. I notice
> >> > there
> >> > are options for the GPO to Disable User or Computer Configuration
> >> > Settings.
> >> > When I have a policy (not this one), that has Authenticated Users as
> >> > the
> >> > default, and I have left this setting as is, but made no comptuer
> >> > changes -
> >> > is it safe to assume that the computer configuration is skipped - or in
> >> > a
> >> > domain of less than 50 users, do I care? Is performance really a
> >> > concern?
> >> >
> >> > "Paul Adare" wrote:
> >> >
> >> >> In article <gsGdnUQ-Y5-o44_fRVn-og@comcast.com>, in the
> >> >> microsoft.public.win2000.security news group, Steven L Umbach
> >> >> <n9rou@n0-
> >> >> spam-for-me-comcast.net> says...
> >> >>
> >> >> > That should work fine with the GPO at the domain level. --- Steve
> >> >> >
> >> >> > "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> >> > news:A340D0EB-BB20-41E7-8478-42D257B72CBF@microsoft.com...
> >> >> > > So for this example, create 2 Global Groups, perhaps one called
> >> >> > > Mail_Users
> >> >> > > and the other Mail_Workstations. Then assign the users and
> >> >> > > computers
> >> >> > > to
> >> >> > > each
> >> >> > > respective group, and use those two groups in the GPO Security
> >> >> > > settings to
> >> >> > > Apply and then what - Assign the GPO to the Domain?. Am I
> >> >> > > following
> >> >> > > you
> >> >> > > correctly?
> >> >> >
> >> >>
> >> >> If all the OP is trying to do here is to push the required root
> >> >> certificate out however, there is no need for the Mail_Users group at
> >> >> all. Since the Public Key policy settings are in the Computer
> >> >> Configuration section of the GPO, that section will _never_ be
> >> >> processed
> >> >> by user. Giving them permissions on a GPO that they will never process
> >> >> doesn't accomplish anything. In fact, as a best practice, if a GPO
> >> >> contains _only_ user or _only_ computer settings processing of the
> >> >> empty
> >> >> section of the GPO should be disabled for performance reasons. No
> >> >> point
> >> >> processing a GPO that doesn't contain settings that will be applied.
> >> >>
> >> >> --
> >> >> Paul Adare
> >> >> "On two occasions, I have been asked [by members of Parliament],
> >> >> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> >> >> will the right answers come out?' I am not able to rightly apprehend
> >> >> the kind of confusion of ideas that could provoke such a question."
> >> >> -- Charles Babbage (1791-1871)
> >> >>
> >>
> >>
> >>
>
>
>
Anonymous
February 18, 2005 10:15:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

OK. Well for that I would start with gpresult and GPMC to make sure that the
computers are showing as existing in the right OU. Gpresult will also show
what computer configuration GPO's are being applied to a computer and the
last time they were applied. RSOP in logging and planning mode can help you
track down what is going on. RSOP allows you to run scenarios based on the
OU that the computer is in, group membership, and slow link detection. If
RSOP planning mode differs from what you are experiencing then their may be
a network connectivity, dns name resolution, or domain computer account
problem and the support tool netdiag can be run on any domain computer
including domain controllers to check for such. See the link below to first
make sure your dns is 100 percent correct for the domain as improper dns
configuration is the root of most Active Directory problems. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-... --- AD
dns FAQ
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
and ho to install support tools.
http://support.microsoft.com/default.aspx?scid=kb%3Ben-... ---
troubleshooting Group Policy

"Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
news:CDC3CC09-D644-433F-957E-B435920DF4C5@microsoft.com...
> Thanks Steve, I posted the behavior in the Exchange.Misc board, I think
> right
> next to "fat chance of anyone having the same issue"...thanks a ton for
> all
> of your help on this one here. I posted a Group Policy post related to
> the
> fact that not all of my machines in the Group are taking the policy, about
> half of them, and several of them only after I reboot...the whole 90-120
> minute thing for computers poling and getting a new machine policy is not
> working...if you had any thoughts on that the post is over there in
> Win2000.Group Policy...
>
> Thanks
> J
>
> "Steven L Umbach" wrote:
>
>> Hmm. I can't help with that as I have never experienced it. I don't use
>> it
>> as a mmc snapin, I just run it from Administrative Tools. --- Steve
>>
>>
>> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> news:C18EA64A-F4B7-4776-9EB2-F7A27A0267AA@microsoft.com...
>> > Thanks Steve, I actually install and start playing around with the GPMC
>> > SP1
>> > yesterday. I posted an issue with the tool on another board, but in
>> > short
>> > I
>> > can run the tool by browsing to it in Admin tools, but if I attempt to
>> > add
>> > the tool as a snap-in to my custom mmc console, a Microsoft error is
>> > generated, and the console crashes. I get the same results when I
>> > attempt
>> > to
>> > add the Exchange 2003 snap-in for System Manager, the console crashes
>> > and
>> > I
>> > can't add it. However, once again if I browse to it and run it, works
>> > fine.
>> > Ever heard of that behaviour?
>> >
>> > Thanks again.
>> >
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> If you have a Group Policy where no computer configuration is defined
>> >> it
>> >> makes sense to disable the computer part of the Group Policy. Just
>> >> keep
>> >> in
>> >> mind that it is disabled because we tend to forget such as time goes
>> >> on
>> >> and
>> >> someday if you do define a computer configuration setting it obviously
>> >> will
>> >> not work until you enable the computer configuration portion of the
>> >> Group
>> >> Policy. If you are using Group Policy Management console [via an XP
>> >> Pro
>> >> domain computer for W2K domain] it will be easier to see such. ---
>> >> Steve
>> >>
>> >> http://www.microsoft.com/windowsserver2003/gpmc/default...
>> >>
>> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> >> news:6B79FBDD-B636-494B-AD5E-8A16C31A243A@microsoft.com...
>> >> > Actually that was not the only thing I was trying to accomplish.
>> >> > There
>> >> > are
>> >> > specific user configurations that I will be performing as well. But
>> >> > my
>> >> > whole
>> >> > issue was that When I removed Authenticated Users from the default
>> >> > setting
>> >> > for the Apply of the GPO, the computer configuration was not
>> >> > applied,
>> >> > when
>> >> > I
>> >> > used this GPO at the domain level, since Domain Computers are a
>> >> > member
>> >> > of
>> >> > Authenticated Users, other GPO's that I made computer config changes
>> >> > to,
>> >> > worked just fine. Once I modified a group to include the specific
>> >> > computers
>> >> > that would get this particular config, and applied it to the GPO
>> >> > (filter)
>> >> > everything worked like a charm.
>> >> >
>> >> > I do have another question, raised by your comment below. I notice
>> >> > there
>> >> > are options for the GPO to Disable User or Computer Configuration
>> >> > Settings.
>> >> > When I have a policy (not this one), that has Authenticated Users as
>> >> > the
>> >> > default, and I have left this setting as is, but made no comptuer
>> >> > changes -
>> >> > is it safe to assume that the computer configuration is skipped - or
>> >> > in
>> >> > a
>> >> > domain of less than 50 users, do I care? Is performance really a
>> >> > concern?
>> >> >
>> >> > "Paul Adare" wrote:
>> >> >
>> >> >> In article <gsGdnUQ-Y5-o44_fRVn-og@comcast.com>, in the
>> >> >> microsoft.public.win2000.security news group, Steven L Umbach
>> >> >> <n9rou@n0-
>> >> >> spam-for-me-comcast.net> says...
>> >> >>
>> >> >> > That should work fine with the GPO at the domain level. ---
>> >> >> > Steve
>> >> >> >
>> >> >> > "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> >> >> > news:A340D0EB-BB20-41E7-8478-42D257B72CBF@microsoft.com...
>> >> >> > > So for this example, create 2 Global Groups, perhaps one called
>> >> >> > > Mail_Users
>> >> >> > > and the other Mail_Workstations. Then assign the users and
>> >> >> > > computers
>> >> >> > > to
>> >> >> > > each
>> >> >> > > respective group, and use those two groups in the GPO Security
>> >> >> > > settings to
>> >> >> > > Apply and then what - Assign the GPO to the Domain?. Am I
>> >> >> > > following
>> >> >> > > you
>> >> >> > > correctly?
>> >> >> >
>> >> >>
>> >> >> If all the OP is trying to do here is to push the required root
>> >> >> certificate out however, there is no need for the Mail_Users group
>> >> >> at
>> >> >> all. Since the Public Key policy settings are in the Computer
>> >> >> Configuration section of the GPO, that section will _never_ be
>> >> >> processed
>> >> >> by user. Giving them permissions on a GPO that they will never
>> >> >> process
>> >> >> doesn't accomplish anything. In fact, as a best practice, if a GPO
>> >> >> contains _only_ user or _only_ computer settings processing of the
>> >> >> empty
>> >> >> section of the GPO should be disabled for performance reasons. No
>> >> >> point
>> >> >> processing a GPO that doesn't contain settings that will be
>> >> >> applied.
>> >> >>
>> >> >> --
>> >> >> Paul Adare
>> >> >> "On two occasions, I have been asked [by members of Parliament],
>> >> >> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
>> >> >> will the right answers come out?' I am not able to rightly
>> >> >> apprehend
>> >> >> the kind of confusion of ideas that could provoke such a question."
>> >> >> -- Charles Babbage (1791-1871)
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
Anonymous
February 22, 2005 9:59:04 AM

Archived from groups: microsoft.public.win2000.security (More info?)

DNS looks to be fine. And if these machines reboot, they take the policies
and I can see this in the Group Policy Results Wizard in GPMC. When I
compare 2 XP machines (since I can't use the GPMC RSoP with Windows 2000, or
so it tells me), I notice that on this Mail Policy, I have the filter to
apply to specific computers that are part of a group. THe one major thing I
am noticing, is that even though all of the computers are assigned to the
Filter group, not all reflect that their Membership has updated. Does a
computer's group membership only update after a reboot?

One thing I noticed in the DNS article is that the DNS on the network
machine could be missing, or wrong...which I think I would have had more
issues then, but I am going to double check this as well.

GPResult for 2000 machines woudl need to be run at the machine in question,
correct? Thanks again.

J

"Steven L Umbach" wrote:

> OK. Well for that I would start with gpresult and GPMC to make sure that the
> computers are showing as existing in the right OU. Gpresult will also show
> what computer configuration GPO's are being applied to a computer and the
> last time they were applied. RSOP in logging and planning mode can help you
> track down what is going on. RSOP allows you to run scenarios based on the
> OU that the computer is in, group membership, and slow link detection. If
> RSOP planning mode differs from what you are experiencing then their may be
> a network connectivity, dns name resolution, or domain computer account
> problem and the support tool netdiag can be run on any domain computer
> including domain controllers to check for such. See the link below to first
> make sure your dns is 100 percent correct for the domain as improper dns
> configuration is the root of most Active Directory problems. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-... --- AD
> dns FAQ
> http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
> and ho to install support tools.
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-... ---
> troubleshooting Group Policy
>
> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> news:CDC3CC09-D644-433F-957E-B435920DF4C5@microsoft.com...
> > Thanks Steve, I posted the behavior in the Exchange.Misc board, I think
> > right
> > next to "fat chance of anyone having the same issue"...thanks a ton for
> > all
> > of your help on this one here. I posted a Group Policy post related to
> > the
> > fact that not all of my machines in the Group are taking the policy, about
> > half of them, and several of them only after I reboot...the whole 90-120
> > minute thing for computers poling and getting a new machine policy is not
> > working...if you had any thoughts on that the post is over there in
> > Win2000.Group Policy...
> >
> > Thanks
> > J
> >
> > "Steven L Umbach" wrote:
> >
> >> Hmm. I can't help with that as I have never experienced it. I don't use
> >> it
> >> as a mmc snapin, I just run it from Administrative Tools. --- Steve
> >>
> >>
> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> news:C18EA64A-F4B7-4776-9EB2-F7A27A0267AA@microsoft.com...
> >> > Thanks Steve, I actually install and start playing around with the GPMC
> >> > SP1
> >> > yesterday. I posted an issue with the tool on another board, but in
> >> > short
> >> > I
> >> > can run the tool by browsing to it in Admin tools, but if I attempt to
> >> > add
> >> > the tool as a snap-in to my custom mmc console, a Microsoft error is
> >> > generated, and the console crashes. I get the same results when I
> >> > attempt
> >> > to
> >> > add the Exchange 2003 snap-in for System Manager, the console crashes
> >> > and
> >> > I
> >> > can't add it. However, once again if I browse to it and run it, works
> >> > fine.
> >> > Ever heard of that behaviour?
> >> >
> >> > Thanks again.
> >> >
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> If you have a Group Policy where no computer configuration is defined
> >> >> it
> >> >> makes sense to disable the computer part of the Group Policy. Just
> >> >> keep
> >> >> in
> >> >> mind that it is disabled because we tend to forget such as time goes
> >> >> on
> >> >> and
> >> >> someday if you do define a computer configuration setting it obviously
> >> >> will
> >> >> not work until you enable the computer configuration portion of the
> >> >> Group
> >> >> Policy. If you are using Group Policy Management console [via an XP
> >> >> Pro
> >> >> domain computer for W2K domain] it will be easier to see such. ---
> >> >> Steve
> >> >>
> >> >> http://www.microsoft.com/windowsserver2003/gpmc/default...
> >> >>
> >> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> >> news:6B79FBDD-B636-494B-AD5E-8A16C31A243A@microsoft.com...
> >> >> > Actually that was not the only thing I was trying to accomplish.
> >> >> > There
> >> >> > are
> >> >> > specific user configurations that I will be performing as well. But
> >> >> > my
> >> >> > whole
> >> >> > issue was that When I removed Authenticated Users from the default
> >> >> > setting
> >> >> > for the Apply of the GPO, the computer configuration was not
> >> >> > applied,
> >> >> > when
> >> >> > I
> >> >> > used this GPO at the domain level, since Domain Computers are a
> >> >> > member
> >> >> > of
> >> >> > Authenticated Users, other GPO's that I made computer config changes
> >> >> > to,
> >> >> > worked just fine. Once I modified a group to include the specific
> >> >> > computers
> >> >> > that would get this particular config, and applied it to the GPO
> >> >> > (filter)
> >> >> > everything worked like a charm.
> >> >> >
> >> >> > I do have another question, raised by your comment below. I notice
> >> >> > there
> >> >> > are options for the GPO to Disable User or Computer Configuration
> >> >> > Settings.
> >> >> > When I have a policy (not this one), that has Authenticated Users as
> >> >> > the
> >> >> > default, and I have left this setting as is, but made no comptuer
> >> >> > changes -
> >> >> > is it safe to assume that the computer configuration is skipped - or
> >> >> > in
> >> >> > a
> >> >> > domain of less than 50 users, do I care? Is performance really a
> >> >> > concern?
> >> >> >
> >> >> > "Paul Adare" wrote:
> >> >> >
> >> >> >> In article <gsGdnUQ-Y5-o44_fRVn-og@comcast.com>, in the
> >> >> >> microsoft.public.win2000.security news group, Steven L Umbach
> >> >> >> <n9rou@n0-
> >> >> >> spam-for-me-comcast.net> says...
> >> >> >>
> >> >> >> > That should work fine with the GPO at the domain level. ---
> >> >> >> > Steve
> >> >> >> >
> >> >> >> > "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> >> >> > news:A340D0EB-BB20-41E7-8478-42D257B72CBF@microsoft.com...
> >> >> >> > > So for this example, create 2 Global Groups, perhaps one called
> >> >> >> > > Mail_Users
> >> >> >> > > and the other Mail_Workstations. Then assign the users and
> >> >> >> > > computers
> >> >> >> > > to
> >> >> >> > > each
> >> >> >> > > respective group, and use those two groups in the GPO Security
> >> >> >> > > settings to
> >> >> >> > > Apply and then what - Assign the GPO to the Domain?. Am I
> >> >> >> > > following
> >> >> >> > > you
> >> >> >> > > correctly?
> >> >> >> >
> >> >> >>
> >> >> >> If all the OP is trying to do here is to push the required root
> >> >> >> certificate out however, there is no need for the Mail_Users group
> >> >> >> at
> >> >> >> all. Since the Public Key policy settings are in the Computer
> >> >> >> Configuration section of the GPO, that section will _never_ be
> >> >> >> processed
> >> >> >> by user. Giving them permissions on a GPO that they will never
> >> >> >> process
> >> >> >> doesn't accomplish anything. In fact, as a best practice, if a GPO
> >> >> >> contains _only_ user or _only_ computer settings processing of the
> >> >> >> empty
> >> >> >> section of the GPO should be disabled for performance reasons. No
> >> >> >> point
> >> >> >> processing a GPO that doesn't contain settings that will be
> >> >> >> applied.
> >> >> >>
> >> >> >> --
> >> >> >> Paul Adare
> >> >> >> "On two occasions, I have been asked [by members of Parliament],
> >> >> >> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> >> >> >> will the right answers come out?' I am not able to rightly
> >> >> >> apprehend
> >> >> >> the kind of confusion of ideas that could provoke such a question."
> >> >> >> -- Charles Babbage (1791-1871)
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
Anonymous
February 22, 2005 1:46:47 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <1FD5F2FE-EDFB-464B-AF56-F06D19A257D7@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
<smurfman@discussions.microsoft.com> says...

> Does a
> computer's group membership only update after a reboot?
>
>

Not exactly, but close enough. The new group membership won't show up on
the access token granted to the computer until a reboot, just like with
a user account which needs a log off and log on.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
Anonymous
February 22, 2005 1:46:48 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Let me ask you, is there a way to force this to take place, without a reboot,
say from a script or command line, making it transparrent to the users. I
know that I could run a Shutdown command in a script to force the machines to
reboot, but is there an easier way.

Thanks for the reply, this does help explain why some have taken the policy
and why some have not. I am posting a similar thread in the group policy
board, but basically the GP Results show that a domain level policy for
authenticated users, is denied for several of my users. It shows that the
Group is denied because of an Access Filter, yet, the Authenticated Users is
set to Read and Apply for the user logon script. Would this mean that the
user was not Authenticated at the time of logon, and is using a cached logon?
Any ideas...? I will post this on the other board and give more detail.

THanks
J

"Paul Adare" wrote:

> In article <1FD5F2FE-EDFB-464B-AF56-F06D19A257D7@microsoft.com>, in the
> microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
> <smurfman@discussions.microsoft.com> says...
>
> > Does a
> > computer's group membership only update after a reboot?
> >
> >
>
> Not exactly, but close enough. The new group membership won't show up on
> the access token granted to the computer until a reboot, just like with
> a user account which needs a log off and log on.
>
> --
> Paul Adare
> "On two occasions, I have been asked [by members of Parliament],
> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> will the right answers come out?' I am not able to rightly apprehend
> the kind of confusion of ideas that could provoke such a question."
> -- Charles Babbage (1791-1871)
>
Anonymous
February 22, 2005 5:43:54 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <BBD1D133-7D3D-4122-B550-36408BB79856@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
<smurfman@discussions.microsoft.com> says...

> Let me ask you, is there a way to force this to take place, without a reboot,
> say from a script or command line, making it transparrent to the users
>

No.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
Anonymous
February 22, 2005 10:36:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

DNS on the local network has to be correct or all kinds of unpredictable
results will happen. The biggest problem is the inclusion of ISP dns servers
in the list of preferred dns servers. You should be able to include Windows
2000 computers in RSOP planning mode which will show if the policy will work
the way you want it to assuming all else is correct in the domain such as
name resolution, computer account integrity, and network connectivity.
Gpresult will work great on W2K and you can also use the /v switch for more
details, though you will not get the level of detail as from RSOP logging.
Gpresult will show the current group membership of a computer. You will need
to reboot to have the access token updated. --- Steve


"Smurfman" <smurfman@discussions.microsoft.com> wrote in message
news:1FD5F2FE-EDFB-464B-AF56-F06D19A257D7@microsoft.com...
> DNS looks to be fine. And if these machines reboot, they take the
> policies
> and I can see this in the Group Policy Results Wizard in GPMC. When I
> compare 2 XP machines (since I can't use the GPMC RSoP with Windows 2000,
> or
> so it tells me), I notice that on this Mail Policy, I have the filter to
> apply to specific computers that are part of a group. THe one major thing
> I
> am noticing, is that even though all of the computers are assigned to the
> Filter group, not all reflect that their Membership has updated. Does a
> computer's group membership only update after a reboot?
>
> One thing I noticed in the DNS article is that the DNS on the network
> machine could be missing, or wrong...which I think I would have had more
> issues then, but I am going to double check this as well.
>
> GPResult for 2000 machines woudl need to be run at the machine in
> question,
> correct? Thanks again.
>
> J
>
> "Steven L Umbach" wrote:
>
>> OK. Well for that I would start with gpresult and GPMC to make sure that
>> the
>> computers are showing as existing in the right OU. Gpresult will also
>> show
>> what computer configuration GPO's are being applied to a computer and the
>> last time they were applied. RSOP in logging and planning mode can help
>> you
>> track down what is going on. RSOP allows you to run scenarios based on
>> the
>> OU that the computer is in, group membership, and slow link detection. If
>> RSOP planning mode differs from what you are experiencing then their may
>> be
>> a network connectivity, dns name resolution, or domain computer account
>> problem and the support tool netdiag can be run on any domain computer
>> including domain controllers to check for such. See the link below to
>> first
>> make sure your dns is 100 percent correct for the domain as improper dns
>> configuration is the root of most Active Directory problems. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-... ---
>> AD
>> dns FAQ
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
>> netdiag
>> and ho to install support tools.
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-... ---
>> troubleshooting Group Policy
>>
>> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> news:CDC3CC09-D644-433F-957E-B435920DF4C5@microsoft.com...
>> > Thanks Steve, I posted the behavior in the Exchange.Misc board, I think
>> > right
>> > next to "fat chance of anyone having the same issue"...thanks a ton for
>> > all
>> > of your help on this one here. I posted a Group Policy post related to
>> > the
>> > fact that not all of my machines in the Group are taking the policy,
>> > about
>> > half of them, and several of them only after I reboot...the whole
>> > 90-120
>> > minute thing for computers poling and getting a new machine policy is
>> > not
>> > working...if you had any thoughts on that the post is over there in
>> > Win2000.Group Policy...
>> >
>> > Thanks
>> > J
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Hmm. I can't help with that as I have never experienced it. I don't
>> >> use
>> >> it
>> >> as a mmc snapin, I just run it from Administrative Tools. --- Steve
>> >>
>> >>
>> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> >> news:C18EA64A-F4B7-4776-9EB2-F7A27A0267AA@microsoft.com...
>> >> > Thanks Steve, I actually install and start playing around with the
>> >> > GPMC
>> >> > SP1
>> >> > yesterday. I posted an issue with the tool on another board, but in
>> >> > short
>> >> > I
>> >> > can run the tool by browsing to it in Admin tools, but if I attempt
>> >> > to
>> >> > add
>> >> > the tool as a snap-in to my custom mmc console, a Microsoft error is
>> >> > generated, and the console crashes. I get the same results when I
>> >> > attempt
>> >> > to
>> >> > add the Exchange 2003 snap-in for System Manager, the console
>> >> > crashes
>> >> > and
>> >> > I
>> >> > can't add it. However, once again if I browse to it and run it,
>> >> > works
>> >> > fine.
>> >> > Ever heard of that behaviour?
>> >> >
>> >> > Thanks again.
>> >> >
>> >> >
>> >> > "Steven L Umbach" wrote:
>> >> >
>> >> >> If you have a Group Policy where no computer configuration is
>> >> >> defined
>> >> >> it
>> >> >> makes sense to disable the computer part of the Group Policy. Just
>> >> >> keep
>> >> >> in
>> >> >> mind that it is disabled because we tend to forget such as time
>> >> >> goes
>> >> >> on
>> >> >> and
>> >> >> someday if you do define a computer configuration setting it
>> >> >> obviously
>> >> >> will
>> >> >> not work until you enable the computer configuration portion of the
>> >> >> Group
>> >> >> Policy. If you are using Group Policy Management console [via an XP
>> >> >> Pro
>> >> >> domain computer for W2K domain] it will be easier to see such. ---
>> >> >> Steve
>> >> >>
>> >> >> http://www.microsoft.com/windowsserver2003/gpmc/default...
>> >> >>
>> >> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
>> >> >> news:6B79FBDD-B636-494B-AD5E-8A16C31A243A@microsoft.com...
>> >> >> > Actually that was not the only thing I was trying to accomplish.
>> >> >> > There
>> >> >> > are
>> >> >> > specific user configurations that I will be performing as well.
>> >> >> > But
>> >> >> > my
>> >> >> > whole
>> >> >> > issue was that When I removed Authenticated Users from the
>> >> >> > default
>> >> >> > setting
>> >> >> > for the Apply of the GPO, the computer configuration was not
>> >> >> > applied,
>> >> >> > when
>> >> >> > I
>> >> >> > used this GPO at the domain level, since Domain Computers are a
>> >> >> > member
>> >> >> > of
>> >> >> > Authenticated Users, other GPO's that I made computer config
>> >> >> > changes
>> >> >> > to,
>> >> >> > worked just fine. Once I modified a group to include the
>> >> >> > specific
>> >> >> > computers
>> >> >> > that would get this particular config, and applied it to the GPO
>> >> >> > (filter)
>> >> >> > everything worked like a charm.
>> >> >> >
>> >> >> > I do have another question, raised by your comment below. I
>> >> >> > notice
>> >> >> > there
>> >> >> > are options for the GPO to Disable User or Computer Configuration
>> >> >> > Settings.
>> >> >> > When I have a policy (not this one), that has Authenticated Users
>> >> >> > as
>> >> >> > the
>> >> >> > default, and I have left this setting as is, but made no comptuer
>> >> >> > changes -
>> >> >> > is it safe to assume that the computer configuration is skipped -
>> >> >> > or
>> >> >> > in
>> >> >> > a
>> >> >> > domain of less than 50 users, do I care? Is performance really a
>> >> >> > concern?
>> >> >> >
>> >> >> > "Paul Adare" wrote:
>> >> >> >
>> >> >> >> In article <gsGdnUQ-Y5-o44_fRVn-og@comcast.com>, in the
>> >> >> >> microsoft.public.win2000.security news group, Steven L Umbach
>> >> >> >> <n9rou@n0-
>> >> >> >> spam-for-me-comcast.net> says...
>> >> >> >>
>> >> >> >> > That should work fine with the GPO at the domain level. ---
>> >> >> >> > Steve
>> >> >> >> >
>> >> >> >> > "Smurfman" <Smurfman@discussions.microsoft.com> wrote in
>> >> >> >> > message
>> >> >> >> > news:A340D0EB-BB20-41E7-8478-42D257B72CBF@microsoft.com...
>> >> >> >> > > So for this example, create 2 Global Groups, perhaps one
>> >> >> >> > > called
>> >> >> >> > > Mail_Users
>> >> >> >> > > and the other Mail_Workstations. Then assign the users and
>> >> >> >> > > computers
>> >> >> >> > > to
>> >> >> >> > > each
>> >> >> >> > > respective group, and use those two groups in the GPO
>> >> >> >> > > Security
>> >> >> >> > > settings to
>> >> >> >> > > Apply and then what - Assign the GPO to the Domain?. Am I
>> >> >> >> > > following
>> >> >> >> > > you
>> >> >> >> > > correctly?
>> >> >> >> >
>> >> >> >>
>> >> >> >> If all the OP is trying to do here is to push the required root
>> >> >> >> certificate out however, there is no need for the Mail_Users
>> >> >> >> group
>> >> >> >> at
>> >> >> >> all. Since the Public Key policy settings are in the Computer
>> >> >> >> Configuration section of the GPO, that section will _never_ be
>> >> >> >> processed
>> >> >> >> by user. Giving them permissions on a GPO that they will never
>> >> >> >> process
>> >> >> >> doesn't accomplish anything. In fact, as a best practice, if a
>> >> >> >> GPO
>> >> >> >> contains _only_ user or _only_ computer settings processing of
>> >> >> >> the
>> >> >> >> empty
>> >> >> >> section of the GPO should be disabled for performance reasons.
>> >> >> >> No
>> >> >> >> point
>> >> >> >> processing a GPO that doesn't contain settings that will be
>> >> >> >> applied.
>> >> >> >>
>> >> >> >> --
>> >> >> >> Paul Adare
>> >> >> >> "On two occasions, I have been asked [by members of Parliament],
>> >> >> >> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
>> >> >> >> will the right answers come out?' I am not able to rightly
>> >> >> >> apprehend
>> >> >> >> the kind of confusion of ideas that could provoke such a
>> >> >> >> question."
>> >> >> >> -- Charles Babbage (1791-1871)
>> >> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
!