Applying Custom Security Templates with GPOs

C

cswarr

I am trying to apply a custom security template to a group
of servers. I have created the template and imported it
into a new GPO. The settings in the template don't seem
to be filtering down to the servers. I even turned on the
No Override (or Enforce in GPMC) to try to force the
policy with the template down. My environment is all
Win2k Servers. Any ideas?
 
S

Steven L Umbach

Verify that the import worked by checking the actual settings by using
"edit" or looking at the "settings" for the GPO using GPMC. Make sure the
servers reside in a container within the scope on influence of the GPO - for
example if this GPO was configured for an Organizational Unit, then the
servers need to reside in that OU or possibly a sub OU. Verify that the new
GPO is linked to the new container and that computer policy is enabled for
it. Other than that it can take some time. Running secedit /refreshpolicy
machine_policy enforce on the domain controller where you created the GPO
and then doing the same on the servers or rebooting them can speed up
propagation. I would only use secedit or reboot one server until I was sure
that policy was propagating and it is not some other problem. Of course dns
has to be configured correctly on all domain member computers in that they
point only to AD domain controllers as their preferred dns servers. --
Steve

http://support.microsoft.com/default.aspx?scid=kb;KO;227302
 
C

cswarr

The template (and, therefore, policy) is not being
applied. I ran Sec Config and Analysis and the computer
settings don't match the Database settings. I'm guessing
it's some GP application problem. I enforced the policy
yesterday, rebooted one of the machines that should have
the policy applied to it, and executed
secedit /refreshpolicy machine_policy, but no luck. The
OU that these machines are in is blocking inheritance, but
I applied the GPO with the template on the OU itself and
enforced it. I also made sure it has higher precedence
and that the computer objects have the proper security
privliges to apply the GPO (read and Apply GP). Not sure
what else to do....
 
S

Steven Umbach

Try manually configuring a few settings on the GPO for the OU that the servers
reside in to see if they do propagate to the servers. That would narrow the
problem down to either the GPO is not working at all or the template is not
importing/working properly. Gpresult will help determine if the GPO machine
policy is being applied. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

how to apply w2k security to w2k member servers under w2k3 domain? 6
Group Policy 1
basic security 1
applying security template 2
how to remove security policy template that was once applied 1
Security Templates and 2000 server to down-level clients 1
Applying security templates 3
Custom Template Not Taking Effect 1

Top