Basic GPO info

[Chris Pettingill]

I'm trying to understand ACL's and Group Policy. I've read a bunch of
documents (help files on my computer and stuff on MSDN and Microsoft.com),
but I still can't figure out how this all fits together. I think I
understand ACL's. Group Policies, Policies, and GPO's have me confused. I
assume they relate to ACL's in some way but how? I understand that on my
local XP (not on a domain) I will not see (or be able to configure) any
Group Policies. On my XP Pro machine, I see the Computer Configuration and
User Configuration in the Group Policy editor. It seems to me that I should
be able to make different settings for different users or user groups, yet
the editor doesn't seem to allow this. I'm assuming that ACL's come into
this somehow, but I'm not sure. Maybe I can only edit Policies for the
logged in user (even when I'm logged in as Administrator)? If I had an
Active Directory server then maybe I could set up policies for individual
users and groups?

I think part of what is confusing me is what I see in the Local Security
Settings snap in as opposed to the Group Policy snap-in. I'm thinking the
stuff I can edit with these 2 snap-ins are somehow related? It seems to me
that I can edit the ACL for some things in the Local Security Settings
snap-in, but not others.

I'd really appreciate any clarification or some good links that would
explain how this all fits together.

Thanks,
Chris

 

[Cherry Qian]

Hi Chris,

Every object has a unique security descriptor that includes an Access
Control List (ACL). An ACL is a list of entries that grant or deny specific
access rights to individuals or groups. The Windows 2000 Server
object-based security model lets administrators grant access rights to a
user or group-rights that govern who can access a specific object, a group
of properties, or an individual property of an object. The definition of
access rights on a per-property level provides the highest level of
granularity of permissions.

The security access control list (ACL) editor tab for a Group Policy object
is hosted in the Properties form of that Group Policy object. To access the
ACL editor, right-click the root node of Group Policy, click Properties,
and then click Security. You use the Security property page to set
permissions on a selected Group Policy object. These permissions allow or
deny access to the Group Policy object by specified groups.

Your organization's top network administrators (members of the Domain
Administrators group) can also use the ACL editor to determine which
administrator groups can modify policies in Group Policy objects. To do
this, the network administrator can define groups of administrators (for
example, Accounting Administrators), and then provide them Read/Write
access to selected Group Policy objects. In this way, the network
administrator can delegate control of the Group Policy object policies.

A user or administrator who does not have Write access (but does have Read
access) to a Group Policy object cannot use the Group Policy snap-in to see
the settings that it contains. Every extension to Group Policy assumes that
it has Write access to the Group Policy object storage locations. Therefore
Group Policy does not open a Group Policy object when the current user does
not have Write access to it.

Hope the above information and suggestion helps and answers your question.
If anything is unclear, please let me know.

Sincerely,

Cherry Qian
MCSE2000, MCSA2000, MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.

 

[Chris Pettingill]

That does help, but I'm still a bit confused. Again, part of my confusion
may be due to the fact that I'm looking at an XP Pro machine on a peer-peer
network (i.e. no Active Directory or Domain server).

I can see the "Local Security Settings" editor (secpol.msc). For policies
under "Security Settings\Local Policies\User Rights Assignment" and
"Security Settings\Local Policies\Security Options", I can right click and
choose "Properties" to select the users/groups that the policies apply to.
However, for any other policy, under any other branch, I cannot set the
users/groups. I can enable/disable or change any other setting related to
these policies, but there does not seem to be any tab/dialog/button that
will allow me to see or alter the users or groups the policies apply to.

When I look at the policies in the Group Policy editor (gpedit.msc), I see
all kinds of policies, and again I can enable/disable, or change any other
settings by right clicking and choosing "properties". However, none of the
property dialogs include any way for me to select or view associated
users/groups. Under "Local Computer Policy\User Configuration", I'd expect
to be able to set different settings for different users/groups, but there
doesn't seem to be a way to do this.

I'm logging in as "Administrator", and Administrator has not been changed
from the way Dell shipped me my computer. I should (I think) be able to
edit and view anything that there is to edit and view. I think I must be
missing something. I do understand that with Win2000 and Active Directory,
I would have much more flexibility, but it seems that even on my lowly XP
machine, I should be able to somehow set up specific policies for specific
users/groups on my own machine?

Thanks,
Chris

 

[Cherry Qian]

Hi Chris,

Thank you for the posting again.

You can use the Group Policy tool in Windows XP to implement software
restriction policies. To enable a software restriction policy, you can use
either of the following methods:

- Using Group Policy: gpedit.msc

- Using the Local Security Policy: secpol.msc

Group Policy allows Windows 2000 network administrators to define and
control the amount of access users have to data and applications and to
their organizations' networks. Group Policy is the central component of
the Change and Configuration Management features of the Microsoft Windows
2000 operating system. Group Policy specifies settings for groups of users
and of computers, including registry-based policy settings, security
settings, software installation, scripts (computer startup and shutdown,
and log on and log off), and folder redirection.

For more information on group policy planning and understanding, please
refer to this web site:

http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps
.asp

As to set up specific policies for specific users/groups, you can use
Delegation to delegate on the OU

For more information on how to do so, please refer to this knowledge base
article:
HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/?kbid=315676

Hope this helps and answers your question. If anything is unclear, please
let me know.

Sincerely,

Cherry Qian
MCSE2000, MCSA2000, MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.

 

[Chris Pettingill]

This does get me a bit further, but I'm not quite there yet. I have only an
XP on a peer-peer network with a Win98 machine, so much of the Win2000
Active Directory stuff is not available or applicable to me. I did run
mmc.exe, and added some snap-ins. I find that when I add the "Group Policy"
snap-in, it becomes the, "Local Computer Policy" in my console. I do not
see any place to edit security for registry items etc.

I also added the, "Security Analysis and Configuration" snap in, and
imported a template into the database. I then analyzed my system. After
doing this, I see folders etc. where I can edit the registry security (per
user/user group) in the database. Now, my understanding is that if I did
edit some stuff and apply this database to my machine ("Configure Computer
Now...", in "Security Analysis and Configuration"), it would apply the
security. I don't want to actually do this, because I'm not sure what's in
the template I imported to the database and I don't want to mess up my
computer. However, if I did apply the database to my computer, would I then
see any Registry security settings (configured per user/group) under, "Local
Computer Policy", and I could further edit these settings?

I'm guessing that I'm not seeing any registry security settings under,
"Local Computer Policy", right now because no specific policies have been
set up, but if they had, then I would see stuff under, "Local Computer
Policy"? Have I got it right? This also implies that right now, my system
is using some default which is not displayed, and the only way to start
editing the default is to apply some policy(s) using "Security Analysis and
Configuration".

Thanks for your help,
Chris

 

[Cherry Qian]

Hi Chris,

Thank you for the posting again. I understand your concern on the Local
Computer Policy.

As for the registry settings related to Local Computer Policy, they are
located in HKEY_LOCAL_MACHINE in the registry. You can use regedit to
check.

As for the Local Computer Policy, please refer to this knowledge base
article for more information:

307882 HOW TO: Use the Group Policy Editor to Manage Local Computer Policy
in
http://support.microsoft.com/?id=307882

As for the Security Analysis and Configuration as well as security
template, please refer to this knowledge base article:

313222 HOW TO: Reset Security Settings Back to the Defaults
http://support.microsoft.com/?id=313222

Hope the above information and suggestion helps and answers your question.
If anything is unclear, please let me know.

Sincerely,

Cherry Qian
MCSE2000, MCSA2000, MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.