| Author | Messages | |
AD000001229
Posts:0
 | | 09/23/2005 6:48 AM |
| I would like to use restricted groups
policies to specifiy local Administrative access to application servers.
I am sure this has already been tried. I would like to know how this worked
or did not work for those who have tried it and where there any unexpected
gotchas that happened ?
Thank You ! And have a nice day !
**************************************************************
Mark Lunsford
KAISER PERMANENTE | | | |
| mark.parris@xxxx.yyy
| | 09/23/2005 7:38 AM |
| The biggest gottcha, is that any existing
group memberships for groups managed by the restricted group policy are overridden
by the restricted group policy “ this is my biggest gripe, I wish they
would merge\append.
Mark
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Mark.H.Lunsford@xxxxxx
Sent: 23 September 2005 06:36
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GPO
Restricted Groups gotchas ?
I would like to use restricted groups policies to
specifiy local Administrative access to application servers. I am sure this has
already been tried. I would like to know how this worked or did not work for
those who have tried it and where there any unexpected gotchas that
happened ?
Thank You ! And have a nice day !
**************************************************************
Mark Lunsford
KAISER PERMANENTE | | | |
| kamleshap
Posts:58
| | 09/23/2005 9:43 AM |
| The biggest gottcha, is that any existing group memberships for groups managed by the restricted group policy are overridden by the restricted group policy “ this is my biggest gripe, I wish they would merge\append.
Mark
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Mark.H.Lunsford@xxxxxxSent: 23 September 2005 06:36
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GPO Restricted Groups gotchas ?
I would like to use restricted groups policies to specifiy local Administrative access to application servers. I am sure this has already been tried. I would like to know how this worked or did not work for those who have tried it and where there any unexpected gotchas that happened ?
Thank You ! And have a nice day !**************************************************************Mark Lunsford
KAISER PERMANENTE-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend the bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | |
| AD00000900
Posts:0
| | 09/24/2005 7:13 AM |
| Actually, the ideal would be the option to append or
override.
Sometimes you don't care if other's are in a specific
group, as long as a specific set of accounts/groups are in that group. Case in
point is IT shops where the user is granted/required to have local admin.
Ideally, you'd set that user, plus your IT support staff, as local admin.
Without having the option to append, all you can do is override, which means
that one user is then oout.
--------Roger SeielstadE-mail Geek
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Kamlesh
ParmarSent: Friday, September 23, 2005 2:42 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] GPO Restricted
Groups gotchas ?
But then it defeats the purpose of restricted group, as you want to be sure
that, only known members are part of the restricted group. If the operation is
merge than it is not restricted by definition?
When u ask for merge or append, you are doing some group membership
modification. You better use some scripts for that.
I would suggest create a separate group of those app servers, and apply
group policy with restricted group populated as you want.
Make sure Group Policy is applies to that Group of appservers only. it is
must that you Remove "Authenticated Users" group from group policy
security.
On 9/23/05, Mark
Parris mark.parris@xxxxxxxxxxxx>
wrote:
The biggest gottcha,
is that any existing group memberships for groups managed by the restricted
group policy are overridden by the restricted group policy “ this is my
biggest gripe, I wish they would merge\append.
Mark
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Mark.H.Lunsford@xxxxxxSent: 23 September 2005 06:36
To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] GPO Restricted
Groups gotchas ?
I would like to use
restricted groups policies to specifiy local Administrative access to
application servers. I am sure this has already been tried. I would like to
know how this worked or did not work for those who have tried it and
where there any unexpected gotchas that happened ? Thank You ! And have a
nice day
!**************************************************************Mark
Lunsford KAISER
PERMANENTE-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend
the bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | |
| kamleshap
Posts:58
| | 09/24/2005 9:56 AM |
| I agree it would be better to give that option of append alongwith override.
I assume, they didn't implement, because it is very easy to get the
desired result thru other means like this batch file, which can run
as computer startup script, for intended machines. This works like
append operation.
:: Add support admin to administrators group
net localgroup administrators domain\supportadmin /add
On 9/25/05, Roger Seielstad wrote:
>
> Actually, the ideal would be the option to append or override.
>
> Sometimes you don't care if other's are in a specific group, as long as a
> specific set of accounts/groups are in that group. Case in point is IT shops
> where the user is granted/required to have local admin. Ideally, you'd set
> that user, plus your IT support staff, as local admin. Without having the
> option to append, all you can do is override, which means that one user is
> then oout.
>
>
> --------
> Roger Seielstad
> E-mail Geek
>
>
> ________________________________
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> Kamlesh Parmar
> Sent: Friday, September 23, 2005 2:42 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] GPO Restricted Groups gotchas ?
>
>
>
> But then it defeats the purpose of restricted group, as you want to be sure
> that, only known members are part of the restricted group. If the operation
> is merge than it is not restricted by definition?
> When u ask for merge or append, you are doing some group membership
> modification. You better use some scripts for that.
>
> I would suggest create a separate group of those app servers, and apply
> group policy with restricted group populated as you want.
> Make sure Group Policy is applies to that Group of appservers only. it is
> must that you Remove "Authenticated Users" group from group policy security.
>
>
> On 9/23/05, Mark Parris wrote:
> >
> >
> >
> > The biggest gottcha, is that any existing group memberships for groups
> managed by the restricted group policy are overridden by the restricted
> group policy “ this is my biggest gripe, I wish they would merge\append.
> >
> >
> >
> > Mark
> >
> >
> >
> > ________________________________
>
> >
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> Mark.H.Lunsford@xxxxxx
> > Sent: 23 September 2005 06:36
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] GPO Restricted Groups gotchas ?
> >
> >
> >
> >
> >
> > I would like to use restricted groups policies to specifiy local
> Administrative access to application servers. I am sure this has already
> been tried. I would like to know how this worked or did not work for those
> who have tried it and where there any unexpected gotchas that happened ?
> >
> > Thank You ! And have a nice day !
> >
> >
> **************************************************************
> > Mark Lunsford
> > KAISER PERMANENTE
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Fortune and Love befriend the bold"
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | |
| AD00000900
Posts:0
| | 09/24/2005 10:52 AM |
| That's not the same net effect. Those settings are only applied at restart as opposed to being applied every 90 minutes (or whatever your refresh interval is). Its quite possible to remove the perms granted by that script and run like that for months.
--------
Roger Seielstad
E-mail Geek
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Kamlesh Parmar
Sent: Saturday, September 24, 2005 2:56 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] GPO Restricted Groups gotchas ?
I agree it would be better to give that option of append alongwith override.I assume, they didn't implement, because it is very easy to get thedesired result thru other means like this batch file, which can runas computer startup script, for intended machines. This works likeappend operation.
:: Add support admin to administrators groupnet localgroup administrators domain\supportadmin /add
On 9/25/05, Roger Seielstad wrote:>> Actually, the ideal would be the option to append or override.>> Sometimes you don't care if other's are in a specific group, as long as a> specific set of accounts/groups are in that group. Case in point is IT shops> where the user is granted/required to have local admin. Ideally, you'd set> that user, plus your IT support staff, as local admin. Without having the> option to append, all you can do is override, which means that one user is> then oout.>>> --------> Roger Seielstad> E-mail Geek>>> ________________________________> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of> Kamlesh Parmar> Sent: Friday, September 23, 2005 2:42 AM> To: ActiveDir@xxxxxxxxxxxxxxxxxx> Subject: Re: [ActiveDir] GPO Restricted Groups gotchas ?>>>> But then it defeats the purpose of restricted group, as you want to be sure> that, only known members are part of the restricted group. If the operation> is merge than it is not restricted by definition?> When u ask for merge or append, you are doing some group membership> modification. You better use some scripts for that.>> I would suggest create a separate group of those app servers, and apply> group policy with restricted group populated as you want.> Make sure Group Policy is applies to that Group of appservers only. it is> must that you Remove "Authenticated Users" group from group policy security.>>> On 9/23/05, Mark Parris wrote:> >> >> >> > The biggest gottcha, is that any existing group memberships for groups> managed by the restricted group policy are overridden by the restricted> group policy “ this is my biggest gripe, I wish they would merge\append.> >> >> >> > Mark> >> >> >> > ________________________________>> >> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of> Mark.H.Lunsford@xxxxxx> > Sent: 23 September 2005 06:36> > To: ActiveDir@xxxxxxxxxxxxxxxxxx> > Subject: [ActiveDir] GPO Restricted Groups gotchas ?> >> >> >> >> >> > I would like to use restricted groups policies to specifiy local> Administrative access to application servers. I am sure this has already> been tried. I would like to know how this worked or did not work for those> who have tried it and where there any unexpected gotchas that happened ?> >> > Thank You ! And have a nice day !> >> >> **************************************************************> > Mark Lunsford> > KAISER PERMANENTE>>>> --> ~~~~~~~~~~~~~~~~~~~~~~~~~~~> "Fortune and Love befriend the bold"> ~~~~~~~~~~~~~~~~~~~~~~~~~~~>
--~~~~~~~~~~~~~~~~~~~~~~~~~~~"Fortune and Love befriend the bold"~~~~~~~~~~~~~~~~~~~~~~~~~~~.+-Å wèþ�m§Ã¿Ã¿Ãƒ�ÿiËb½Ã§b¯Ãº+ƒòâ²ÃڲœKŠËE��á¶ÃšÃ¿Ã¿Ã¼0Ãöœ¶+Þv*ÿ¢¸?.+-��ÿjÊq.+-j·!Š÷ÿ ÛiÿÿðÃ�æj)ÿj·!Š÷ÿr°¿iËb½Ã§b¯Ã¾4„¢¨¥Ã½§-Š÷Š¿Ã¨
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ZJORZ
Posts:389
| | 09/26/2005 6:26 AM |
| Worked like a
charm!
You have the possibility to use
Member option and/or memberof option
Using the member option you
ENFORCE (or replace) which objects (users/groups) are a member of a group. If
you add an object as a member of the group and it is not on the restricted
groups list, it will be removed again by the system
Using the memberof option you
just tell the system (merge with existing) to add the object to the group
specified and it will still be allowed to be a member of other groups that are
not specified in the list
Cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Mark.H.Lunsford@xxxxxxSent: Friday, September 23, 2005
07:36To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir]
GPO Restricted Groups gotchas ?
I would like to use restricted
groups policies to specifiy local Administrative access to application servers.
I am sure this has already been tried. I would like to know how this worked or
did not work for those who have tried it and where there any unexpected
gotchas that happened ? Thank You !
And have a nice day
!**************************************************************Mark
LunsfordKAISER PERMANENTE
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
| listmail
Posts:824
| | 09/26/2005 9:03 AM |
| Yeah we need a good search mechanism for this list, this
was discussed nearly to death last year or the year before when that
functionality change was introduced.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Monday, September 26, 2005 2:25 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] GPO Restricted
Groups gotchas ?
Worked like a
charm!
You have the possibility to use
Member option and/or memberof option
Using the member option you
ENFORCE (or replace) which objects (users/groups) are a member of a group. If
you add an object as a member of the group and it is not on the restricted
groups list, it will be removed again by the system
Using the memberof option you
just tell the system (merge with existing) to add the object to the group
specified and it will still be allowed to be a member of other groups that are
not specified in the list
Cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Mark.H.Lunsford@xxxxxxSent: Friday, September 23, 2005
07:36To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir]
GPO Restricted Groups gotchas ?
I would like to use restricted
groups policies to specifiy local Administrative access to application servers.
I am sure this has already been tried. I would like to know how this worked or
did not work for those who have tried it and where there any unexpected
gotchas that happened ? Thank You !
And have a nice day
!**************************************************************Mark
LunsfordKAISER PERMANENTE
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by, any
other party. If you are not an intended recipient then please promptly delete
this e-mail and any attachment and all copies and inform the sender. Thank
you. | | | |
| AD000001229
Posts:0
| | 09/28/2005 9:54 AM |
| That would help, I searched the archive
and found only a little info.
I knew this more than likely was previously
discussed.
Thank You ! And have a nice day !
**************************************************************
Mark Lunsford
KAISER PERMANENTE
Security Operations
Remedy Group: NOPS SECURITY EDOS SYS
Direct Manager: Bud Furrow
Email: Mark.H.Lunsford@xxxxxx
Outside Phone: 925-926-5898
Tie Line Phone: 8-473-5898
C ell: 925-200-4077
**************************************************************
"joe"
Sent by: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
09/26/2005 01:24 PM
Please respond to
ActiveDir@xxxxxxxxxxxxxxxxxx
To
cc
Subject
RE: [ActiveDir] GPO Restricted
Groups gotchas ?
Yeah we need a good search mechanism
for this list, this was discussed nearly to death last year or the year
before when that functionality change was introduced.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida
Pinto, Jorge de
Sent: Monday, September 26, 2005 2:25 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO Restricted Groups gotchas ?
Worked like a charm!
You have the possibility
to use Member option and/or memberof option
Using the member
option you ENFORCE (or replace) which objects (users/groups) are a member
of a group. If you add an object as a member of the group and it is not
on the restricted groups list, it will be removed again by the system
Using the memberof
option you just tell the system (merge with existing) to add the object
to the group specified and it will still be allowed to be a member of other
groups that are not specified in the list
Cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Mark.H.Lunsford@xxxxxx
Sent: Friday, September 23, 2005 07:36
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GPO Restricted Groups gotchas ?
I would like to use restricted groups policies to specifiy local Administrative
access to application servers. I am sure this has already been tried. I
would like to know how this worked or did not work for those who have tried
it and where there any unexpected gotchas that happened ?
Thank You ! And have a nice day !
**************************************************************
Mark Lunsford
KAISER PERMANENTE
This e-mail and any attachment is for authorised use by
the intended recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and
all copies and inform the sender. Thank you. | | | |
|
|