Basic Security Policy Settings Question

[Wazz]

Hi Everyone,

At work I have been installing equipment for users to work from home. During this installation process I am installing a router, vpn software on the users laptop and making changes to the local security policy and stopping and disabling services on both win2k and xp. This process takes around half an hour - 40mins to do.

I am not asking anyone at work as my colleagues are getting 'paid for' mcse and I am not, so want to do this without there help. I have learnt loads to do with mmc and the plug-ins and analyzing database with local policy etc. by reading. I just cant find answers to these specifics.
(Thats the background to my question sorted)

So... what I have been doing is creating a local security policy to reflect the home workers installation. I have set all the local policies, account policies and need to do system services. However, If I leave a value as not defined what happens. Does it use a policy from the DC, but then I would imagine the policy on the DC would overwrite what I set. The reason I ask is, do I need to set all the system services or just the ones I want different from the current local policy. When i configure the computer with the new policy, is it a total overwrite or does it merge the policies and fill in the not defined values with the value from the old policy. With me so far? Also I have not set anything in the 'restricted groups' 'Registry' or 'file system' section. Is this acceptable.


Thanks in advance!
Wazz

 

[Wazz]

Anyone, please!

 

[ncotton]

Any settings that you set in a Local GPO will be overwriten by the refreshed Domain GPO. One reason for this is users are often Local Administrators of their machines, so have the ability to change Local GPOs.

However, if you have the settings configured in a local GPO, they are only overwriten by the domain AD GPO if they conflict. If a domain GPO setting is set as "not configured", then the LOCAL setting is used. See table below :

LGPO| ADGPO| Winning GPO
------------------------
1   |  NC  |   1
NC  |  2   |   2
1   |  2   |   2
NC  |  NC  |  No WGPO, windows default behaviour

Neil J Cotton
njc Information Systems
Systems Consultant
HND, BSc HONS, CCNA, BCS, IETF, DMTF

 

[ScottCr]

Neil has it perfectly there.

One point I would make is that GPO's are applied in the following order:-

Local, Domain, Site, OU. with the last one overwriting changes made by earlier ones. So a GPO applied to an OU will overwrite the same setting, set by a Site GPO.

http://scottcross.blogspot.com

Windows and NT Admin.

 

[Wazz]

Sorry, forgetting my Manners.
Thanks for your replys. They were very helpful.

But, if I can just further this a little more. I have since been told that the group policy is not, in our network applied when a user connects using the VPN software. I presume then, that when a user logs on to a pc and it makes a cached copy of there profile that the group policy is also cached? Also, is this a flaw in the company I work for or is it common that group policy is not applied over a vpn connection?

Thanks in advance!
Wazz

 

[ncotton]

VPN Policies can be disabled completely, but by default, SOME policies are applied over VPN, this is the core policies, but some policies settings are left out. If you want to enforce all the policy settings, even over VPN, you need to Enable Asynchronously process policies. Don't have a terminal next to me right now so Im not overly sure where it is.

When a policy is downloaded, is writes to the registry. When the OS/program loads, all it is doing is pointing at the same registry key everytime. The registry keys are persistant, as is any registry key. Shutting down does not delete them, so if you boot up offline, or on VPN, the program doesn't really care, it will still apply the settings that are in the registry keys. The only thing is over VPN, some NEW policies wont be applied, if they have been updated without being plugged into the main domain.

Don't thank us...Pay us....

Hope you found this VALUABLE
vvvvvvvvvvvvv

Neil J Cotton
njc Information Systems
Systems Consultant
HND, BSc HONS, CCNA, BCS, IETF, DMTF

 

[ncotton]

One point I would make is that GPO's are applied in the following order:-

Local, Domain, Site, OU. with the last one overwriting changes made by earlier ones. So a GPO applied to an OU will overwrite the same setting, set by a Site GPO.

Just to clarrify this for you Wazz, that doesn't mean that the COMPLETE OU policy will overwrite any other policies....only polices settings that have been configured on both, that conflict....ie (these policies dont exists by the way, just illustration)

DomainPol
SetDesktopColour = RED
SetEmailClient = Outlook Express
MyDocumentsPoint = \\server\users\Adam
ShowLastLogedOnInLoginScreen = NOT CONFIGURED

Site Policy
SetDesktopColour = BLUE
SetEmailClient = NOT CONFIGURED
MyDocumentsPoint = NOT CONFIGURED
ShowLastLogedOnInLoginScreen = FALSE

OU Policy
SetDesktopColour = NOT CONFIGURED
SetEmailClient = NOT CONFIGURED
MyDocumentsPoint = \\SalesDeptment\FileServer\Telesales\Adam
ShowLastLogedOnInLoginScreen = TRUE

[b]APPLIED POLICY[/b]
SetDesktopColour = BLUE
SetEmailClient = Outlook Express
MyDocumentsPoint = \\SalesDeptment\FileServer\Telesales\Adam
ShowLastLogedOnInLoginScreen = TRUE

Does that makes sense
That will either make it clear, or give you a headache and make you more confussed

Hope you found this VALUABLE
vvvvvvvvvvvvv

Neil J Cotton
njc Information Systems
Systems Consultant
HND, BSc HONS, CCNA, BCS, IETF, DMTF