Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > Group Policy vs File Protections

Reply
Thread Tools

Group Policy vs File Protections

 
 
Lawrence D'Oliveiro
Guest
Posts: n/a
 
      07-01-2009
One reason why some larger companies stick with Internet Explorer,
regardless of the better security, standards compliance and other features
of alternative browsers, is because they can exert fine control over it
using Windows Group Policy settings
<http://blogs.zdnet.com/igeneration/?p=1969>.

Help me understand this. What exactly can you do via Group Policy that you
cannot do with appropriate setting of Unix protections and ownerships on
user preference files? For instance, all Firefox user state is in the user's
~/.mozilla/firefox directory. In particular, there is a prefs.js file
containing configuration settings: preload this and make it user-read-only
(and possibly even owned by root), and that stops the user changing any
settings. There is even a "chrome" subdirectory which contains CSS
definitions that let you tweak the user interface. You can hide user
interface elements, and again, prevent the user from overriding your
settings.

So what's the big deal about Group Policy?

 
Reply With Quote
 
 
 
 
Stephen Worthington
Guest
Posts: n/a
 
      07-01-2009
On Wed, 01 Jul 2009 17:03:08 +1200, Lawrence D'Oliveiro
<(E-Mail Removed)_zealand> wrote:

>One reason why some larger companies stick with Internet Explorer,
>regardless of the better security, standards compliance and other features
>of alternative browsers, is because they can exert fine control over it
>using Windows Group Policy settings
><http://blogs.zdnet.com/igeneration/?p=1969>.
>
>Help me understand this. What exactly can you do via Group Policy that you
>cannot do with appropriate setting of Unix protections and ownerships on
>user preference files? For instance, all Firefox user state is in the user's
>~/.mozilla/firefox directory. In particular, there is a prefs.js file
>containing configuration settings: preload this and make it user-read-only
>(and possibly even owned by root), and that stops the user changing any
>settings. There is even a "chrome" subdirectory which contains CSS
>definitions that let you tweak the user interface. You can hide user
>interface elements, and again, prevent the user from overriding your
>settings.
>
>So what's the big deal about Group Policy?


Group policy can be applied to all machines in a domain in one go,
rather than having to set up PCs individually. Personally, I found it
to be a pernicious nuisance with one company I worked for, as I would
occasionally run across a web site I needed to get to that would not
work due to a group policy. So I avoided using IE and used SeaMonkey
instead.
 
Reply With Quote
 
 
 
 
Nik Coughlin
Guest
Posts: n/a
 
      07-01-2009
"Lawrence D'Oliveiro" <(E-Mail Removed)_zealand> wrote in message
news:h2eqmd$gpt$(E-Mail Removed)...
> One reason why some larger companies stick with Internet Explorer,
> regardless of the better security, standards compliance and other features
> of alternative browsers, is because they can exert fine control over it
> using Windows Group Policy settings
> <http://blogs.zdnet.com/igeneration/?p=1969>.
>
> Help me understand this. What exactly can you do via Group Policy that you
> cannot do with appropriate setting of Unix protections and ownerships on
> user preference files?


Use it with Windows

 
Reply With Quote
 
Alan
Guest
Posts: n/a
 
      07-01-2009
"Lawrence D'Oliveiro" <(E-Mail Removed)_zealand> wrote in
message news:h2eqmd$gpt$(E-Mail Removed)...
> One reason why some larger companies stick with Internet Explorer,
> regardless of the better security, standards compliance and other
> features
> of alternative browsers, is because they can exert fine control over
> it
> using Windows Group Policy settings
> <http://blogs.zdnet.com/igeneration/?p=1969>.
>
> Help me understand this. What exactly can you do via Group Policy
> that you
> cannot do with appropriate setting of Unix protections and
> ownerships on
> user preference files? For instance, all Firefox user state is in
> the user's
> ~/.mozilla/firefox directory. In particular, there is a prefs.js
> file
> containing configuration settings: preload this and make it
> user-read-only
> (and possibly even owned by root), and that stops the user changing
> any
> settings. There is even a "chrome" subdirectory which contains CSS
> definitions that let you tweak the user interface. You can hide user
> interface elements, and again, prevent the user from overriding your
> settings.
>
> So what's the big deal about Group Policy?
>


I've had to do it both ways and GP is much easier (and hence cheaper)
to manage within a Windows domain as the GP settings can be
implemented in one place by the admin, and the machines / users (as
appropriate) pick up their settings as per configuration.

You can have policies set also that apply or not depending on what
groups a machine and user are in, so that, for example, you might have
a policy across all machine, but a subset of users might have an
override so that if one person uses the machine, they can't do
something, but if a different person uses it, they can do the same
thing.

Also, very easy to maintain due to having the directory groups setup,
and applying GPs to groups as required. Changes can be made anytime
without having to directly access the machines too. I believe that
default settings are for machines to update their settings every two
hours with a plus or minus thirty minutes randomness (to avoid all
machines trying at the same time). Both can be changed I think.

You're probably correct that anything could be done other ways, but
for most businesses who already have a Windows Server setup, GP is far
less costly to use than file permissions and other settings.

Vive la difference!

Alan.

--

The views expressed are my own, not those of my employer or others.
My unmunged email is: http://www.velocityreviews.com/forums/(E-Mail Removed) (valid for 30 days
min probably much longer).

 
Reply With Quote
 
Lawrence D'Oliveiro
Guest
Posts: n/a
 
      07-01-2009
In message <(E-Mail Removed)>, Stephen Worthington
wrote:

> Group policy can be applied to all machines in a domain in one go,
> rather than having to set up PCs individually.


It's easy enough to manage file protections, user privileges, software
configurations/updates etc in bulk across lots of Unix/Linux machines. Even
the initial Linux install can be saved for mass use, e.g. KickStart,
AutoYaST.

 
Reply With Quote
 
Stephen Worthington
Guest
Posts: n/a
 
      07-01-2009
On Wed, 01 Jul 2009 23:20:03 +1200, Collector€NZ
<(E-Mail Removed)> wrote:

>Stephen Worthington wrote:
>> On Wed, 01 Jul 2009 17:03:08 +1200, Lawrence D'Oliveiro
>> <(E-Mail Removed)_zealand> wrote:
>>
>>> One reason why some larger companies stick with Internet Explorer,
>>> regardless of the better security, standards compliance and other features
>>> of alternative browsers, is because they can exert fine control over it
>>> using Windows Group Policy settings
>>> <http://blogs.zdnet.com/igeneration/?p=1969>.
>>>
>>> Help me understand this. What exactly can you do via Group Policy that you
>>> cannot do with appropriate setting of Unix protections and ownerships on
>>> user preference files? For instance, all Firefox user state is in the user's
>>> ~/.mozilla/firefox directory. In particular, there is a prefs.js file
>>> containing configuration settings: preload this and make it user-read-only
>>> (and possibly even owned by root), and that stops the user changing any
>>> settings. There is even a "chrome" subdirectory which contains CSS
>>> definitions that let you tweak the user interface. You can hide user
>>> interface elements, and again, prevent the user from overriding your
>>> settings.
>>>
>>> So what's the big deal about Group Policy?

>>
>> Group policy can be applied to all machines in a domain in one go,
>> rather than having to set up PCs individually. Personally, I found it
>> to be a pernicious nuisance with one company I worked for, as I would
>> occasionally run across a web site I needed to get to that would not
>> work due to a group policy. So I avoided using IE and used SeaMonkey
>> instead.

>I am not sure where you are coming from.
>In my wan/domain you cannot install seamonkey or any other browser, we
>limit users to MS browser because we protect them at edge level and by
>enterprise protection systems
>Domain group policy is god in a domain.


The company I was with did not lock down developers machines that way
- developers always need to install tools to do their jobs. So I have
no idea why they locked down IE as they did - maybe it was unintended.
 
Reply With Quote
 
Alan
Guest
Posts: n/a
 
      07-01-2009
"Stephen Worthington" <(E-Mail Removed)34.nz56.remove_numbers> wrote
in message news:(E-Mail Removed)...
> On Wed, 01 Jul 2009 23:20:03 +1200, Collector?NZ
> <(E-Mail Removed)> wrote:
>
>>Stephen Worthington wrote:
>>> On Wed, 01 Jul 2009 17:03:08 +1200, Lawrence D'Oliveiro
>>> <(E-Mail Removed)_zealand> wrote:
>>>
>>>> One reason why some larger companies stick with Internet
>>>> Explorer,
>>>> regardless of the better security, standards compliance and other
>>>> features
>>>> of alternative browsers, is because they can exert fine control
>>>> over it
>>>> using Windows Group Policy settings
>>>> <http://blogs.zdnet.com/igeneration/?p=1969>.
>>>>
>>>> Help me understand this. What exactly can you do via Group Policy
>>>> that you
>>>> cannot do with appropriate setting of Unix protections and
>>>> ownerships on
>>>> user preference files? For instance, all Firefox user state is in
>>>> the user's
>>>> ~/.mozilla/firefox directory. In particular, there is a prefs.js
>>>> file
>>>> containing configuration settings: preload this and make it
>>>> user-read-only
>>>> (and possibly even owned by root), and that stops the user
>>>> changing any
>>>> settings. There is even a "chrome" subdirectory which contains
>>>> CSS
>>>> definitions that let you tweak the user interface. You can hide
>>>> user
>>>> interface elements, and again, prevent the user from overriding
>>>> your
>>>> settings.
>>>>
>>>> So what's the big deal about Group Policy?
>>>
>>> Group policy can be applied to all machines in a domain in one go,
>>> rather than having to set up PCs individually. Personally, I
>>> found it
>>> to be a pernicious nuisance with one company I worked for, as I
>>> would
>>> occasionally run across a web site I needed to get to that would
>>> not
>>> work due to a group policy. So I avoided using IE and used
>>> SeaMonkey
>>> instead.

>>I am not sure where you are coming from.
>>In my wan/domain you cannot install seamonkey or any other browser,
>>we
>>limit users to MS browser because we protect them at edge level and
>>by
>>enterprise protection systems
>>Domain group policy is god in a domain.

>
> The company I was with did not lock down developers machines that
> way
> - developers always need to install tools to do their jobs. So I
> have
> no idea why they locked down IE as they did - maybe it was
> unintended.


Sounds like poor administration / usage of the tools.

If they wanted developers to have more freedom, they should have put
them into a separate group, and granted you permissions to do whatever
you needed to do (whether in IE or any other app).

Normal, default setup should be for all users to be created using a
LUA template, with no rights to change system settings (beyond the
purely cosmetic) and definitely no rights to install or update
software.

Similarly, they should be setup with limited rights in IE and other
apps so that they cannot get infected no matter where they go or what
they do.

All of that is very easy to do via GP etc, and if there are any apps
that requires some specific higher level of access (say, to a folder
on the local machine), then grant that access specifically - it really
isn't difficult.

Alan.

--

The views expressed are my own, not those of my employer or others.
My unmunged email is: (E-Mail Removed) (valid for 30 days
min probably much longer).

 
Reply With Quote
 
Alan
Guest
Posts: n/a
 
      07-01-2009
"Collector€NZ" <(E-Mail Removed)> wrote in message
news:4a4b4b92$(E-Mail Removed)...
> Nik Coughlin wrote:
>> "Lawrence D'Oliveiro" <(E-Mail Removed)_zealand> wrote in
>> message news:h2eqmd$gpt$(E-Mail Removed)...
>>> One reason why some larger companies stick with Internet Explorer,
>>> regardless of the better security, standards compliance and other
>>> features
>>> of alternative browsers, is because they can exert fine control
>>> over it
>>> using Windows Group Policy settings
>>> <http://blogs.zdnet.com/igeneration/?p=1969>.
>>>
>>> Help me understand this. What exactly can you do via Group Policy
>>> that you
>>> cannot do with appropriate setting of Unix protections and
>>> ownerships on
>>> user preference files?

>>
>> Use it with Windows

> Despite it being a lost cause MS rules in Business because it works,
> I would have Linus Server tommorow if we where not an MS house, but
> Iwould at this stage not have linux desktops, we cannot manage it
> with the level of control we get with MS enterprise. ergo big PEBKAC


LOL!

Change user logon settings to only be able to logon betwen 0245 and
0246.

Bingo! No more PEBKAC!

Alan.

--

The views expressed are my own, not those of my employer or others.
My unmunged email is: (E-Mail Removed) (valid for 30 days
min probably much longer).

 
Reply With Quote
 
thingy
Guest
Posts: n/a
 
      07-01-2009
On Jul 1, 8:26*pm, Lawrence D'Oliveiro <l...@geek-
central.gen.new_zealand> wrote:
> In message <(E-Mail Removed)>, Stephen Worthington
> wrote:
>
> > Group policy can be applied to all machines in a domain in one go,
> > rather than having to set up PCs individually.

>
> It's easy enough to manage file protections, user privileges, software
> configurations/updates etc in bulk across lots of Unix/Linux machines. Even
> the initial Linux install can be saved for mass use, e.g. KickStart,
> AutoYaST.


So GP is windows way to achieve this....and AD and GPs is certainly a
good and easy way to manage users.

regards

Thing
 
Reply With Quote
 
thingy
Guest
Posts: n/a
 
      07-01-2009
On Jul 1, 11:25*pm, Collector€NZ <(E-Mail Removed)> wrote:
> Nik Coughlin wrote:
> > "Lawrence D'Oliveiro" <(E-Mail Removed)_zealand> wrote in
> > messagenews:h2eqmd$gpt$(E-Mail Removed)...
> >> One reason why some larger companies stick with Internet Explorer,
> >> regardless of the better security, standards compliance and other
> >> features
> >> of alternative browsers, is because they can exert fine control over it
> >> using Windows Group Policy settings
> >> <http://blogs.zdnet.com/igeneration/?p=1969>.

>
> >> Help me understand this. What exactly can you do via Group Policy that
> >> you
> >> cannot do with appropriate setting of Unix protections and ownerships on
> >> user preference files?

>
> > Use it with Windows

>
> Despite it being a lost cause MS rules in Business because it works, I
> would have Linus Server tommorow if we where not an MS house, but Iwould
> at this stage not have linux desktops, we cannot manage it with the
> level of control we get with MS enterprise. ergo big PEBKAC


There are equivs of AD, but the cost is way out of proportion to
AD's...which is basically free, and has the granularity and ease of
use that is impressive....yes it a bit questionable on performance and
connectability from non-MS, which is a huge pity...anyway try looking
at say Sun's, Novells, or Oracle's IdM/LDAP and not have your eyes
water at the cost and effort needed.

regards

Thing



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Group policy with no group =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?= Wireless Networking 1 03-15-2007 04:21 AM
New CPRX Technology Beats DVD Copy Protections Ndoki DVD Video 0 08-11-2006 03:35 AM
C++ : protections and freedom... kk C++ 3 05-29-2006 08:27 PM
Default Domain Policy vs Default Domain Controller Policy Tyler Cobb MCSE 6 10-19-2005 09:36 PM
Default Domain Policy vs. Default Domain Controller Policy Tyler Cobb MCSA 1 10-09-2005 03:42 PM



Advertisments