Group Policy Object Editor

Discussion in 'MCDST' started by Keith Chilton, Nov 27, 2006.

  1. If you have a PC not joined to the domain, should you use the Local Security
    Settings console to tighten down the PC instead of the Group Policy Object
    Editor? Is the Group Policy Object Editor still going to override the Local
    Security Settings even though the PC is not joined to the domain???

    I'm trying to clear that up. These are weak areas of mine.
     
    Keith Chilton, Nov 27, 2006
    #1
    1. Advertising

  2. I am assuming that we are talking about Windows XP Professional here
    since XP Home edition does not include Group Policy. So with that said,
    in a non-networked environment (or in a networked environment that does
    not have a domain controller), the local Group Policy object's settings
    are more important, because they are not overwritten by other Group
    Policy objects. Hope that answers your question.

    --
    Michael D. Alligood
    MCSA, MCDST, MCP, A+,
    Network+, i-Net+, CIW Assoc.,
    CIW Certified Instructor



    "Keith Chilton" <> wrote in
    message news::

    > If you have a PC not joined to the domain, should you use the Local Security
    > Settings console to tighten down the PC instead of the Group Policy Object
    > Editor? Is the Group Policy Object Editor still going to override the Local
    > Security Settings even though the PC is not joined to the domain???
    >
    > I'm trying to clear that up. These are weak areas of mine.
     
    Michael D. Alligood, Nov 27, 2006
    #2
    1. Advertising

  3. Thanks but as far as the Local Security Policy goes it is the lowest you can
    go priority-wise right? Then the Group Policy Object then the DC Group
    Policy...

    But if not joined to the domain, either the GPO or the LSP can be used on
    the individual PC.. they basically have the same privileges to set for the
    PC.. is that about right? I am going to mess around with it all when I get
    to work tommorow but I don't have Professional or a DC to mess with here at
    home haha

    "Michael D. Alligood" <> wrote in message
    news:...
    >I am assuming that we are talking about Windows XP Professional here since
    >XP Home edition does not include Group Policy. So with that said, in a
    >non-networked environment (or in a networked environment that does not have
    >a domain controller), the local Group Policy object's settings are more
    >important, because they are not overwritten by other Group Policy objects.
    >Hope that answers your question.
    >
    > --
    > Michael D. Alligood
    > MCSA, MCDST, MCP, A+,
    > Network+, i-Net+, CIW Assoc.,
    > CIW Certified Instructor
    >
    >
    >
    > "Keith Chilton" <> wrote in message
    > news::
    >
    >> If you have a PC not joined to the domain, should you use the Local
    >> Security
    >> Settings console to tighten down the PC instead of the Group Policy
    >> Object
    >> Editor? Is the Group Policy Object Editor still going to override the
    >> Local
    >> Security Settings even though the PC is not joined to the domain???
    >>
    >> I'm trying to clear that up. These are weak areas of mine.

    >
     
    Keith Chilton, Nov 27, 2006
    #3
  4. Keith Chilton wrote:
    > to work tommorow but I don't have Professional or a DC to mess with here at
    > home haha


    You might want to check out Virtual Server or VMWare. It helps with
    things like this.
     
    Jonathan Roberts, Nov 27, 2006
    #4
  5. So can anyone explain to me the following screenshot?
    http://www.geocities.com/kchilton27/MSC.JPG
    This is on my Domain Controller at work. How are they all interrelated? Can
    I use the Group Policy console to control all my Active Directory Users? I
    tried disabling the control panel on that Group Policy console and it didn't
    work. I restarted my PC and I could still access it. Then again maybe it was
    because I am an administrator. Maybe I can't be limited. I don't know. Any
    thoughts? Notice there are 5 different things on there.

    "Jonathan Roberts" <> wrote in message
    news:urq%...
    > Keith Chilton wrote:
    >> to work tommorow but I don't have Professional or a DC to mess with here
    >> at home haha

    >
    > You might want to check out Virtual Server or VMWare. It helps with
    > things like this.
     
    Keith Chilton, Nov 28, 2006
    #5
  6. Keith Chilton wrote:
    > So can anyone explain to me the following screenshot?
    > http://www.geocities.com/kchilton27/MSC.JPG
    > This is on my Domain Controller at work. How are they all interrelated? Can
    > I use the Group Policy console to control all my Active Directory Users? I
    > tried disabling the control panel on that Group Policy console and it didn't
    > work. I restarted my PC and I could still access it. Then again maybe it was
    > because I am an administrator. Maybe I can't be limited. I don't know. Any
    > thoughts? Notice there are 5 different things on there.
    >
    > "Jonathan Roberts" <> wrote in message
    > news:urq%...
    >> Keith Chilton wrote:
    >>> to work tommorow but I don't have Professional or a DC to mess with here
    >>> at home haha

    >> You might want to check out Virtual Server or VMWare. It helps with
    >> things like this.

    >
    >


    When you made the AD change, did you attach it to an OU or other
    container? Or did you add this setting to an existing in-use GPO?

    Jonathan
     
    Jonathan Roberts, Nov 28, 2006
    #6
  7. We use the Domain Security Policy rules to govern password requirements and
    such but I would like to use the Group Policy Console to be much more
    restrictive to the end user. I don't think there are any organizational
    units defined on it yet.

    "Jonathan Roberts" <> wrote in message
    news:...
    > Keith Chilton wrote:
    >> So can anyone explain to me the following screenshot?
    >> http://www.geocities.com/kchilton27/MSC.JPG
    >> This is on my Domain Controller at work. How are they all interrelated?
    >> Can I use the Group Policy console to control all my Active Directory
    >> Users? I tried disabling the control panel on that Group Policy console
    >> and it didn't work. I restarted my PC and I could still access it. Then
    >> again maybe it was because I am an administrator. Maybe I can't be
    >> limited. I don't know. Any thoughts? Notice there are 5 different things
    >> on there.
    >>
    >> "Jonathan Roberts" <> wrote in message
    >> news:urq%...
    >>> Keith Chilton wrote:
    >>>> to work tommorow but I don't have Professional or a DC to mess with
    >>>> here at home haha
    >>> You might want to check out Virtual Server or VMWare. It helps with
    >>> things like this.

    >>
    >>

    >
    > When you made the AD change, did you attach it to an OU or other
    > container? Or did you add this setting to an existing in-use GPO?
    >
    > Jonathan
     
    Keith Chilton, Nov 28, 2006
    #7
  8. Keith Chilton wrote:
    > We use the Domain Security Policy rules to govern password requirements and
    > such but I would like to use the Group Policy Console to be much more
    > restrictive to the end user. I don't think there are any organizational
    > units defined on it yet.


    It sounds to me like you didn't apply the GP to your domain/objects?
     
    Jonathan Roberts, Nov 28, 2006
    #8
  9. i'm really a novice to it all i need some guidance on it.... from square one
    .... we do have our domain users set so that the passwords have to have
    requirements and stuff like that..

    "Jonathan Roberts" <> wrote in message
    news:...
    > Keith Chilton wrote:
    >> We use the Domain Security Policy rules to govern password requirements
    >> and such but I would like to use the Group Policy Console to be much more
    >> restrictive to the end user. I don't think there are any organizational
    >> units defined on it yet.

    >
    > It sounds to me like you didn't apply the GP to your domain/objects?
     
    Keith Chilton, Nov 28, 2006
    #9
  10. Keith, I am trying to following this conversation but I am having issues
    doing so. So lets go back to the beginning of this thread and start
    there. Because a computer can have more than one GPO applied to it,
    security settings can conflict. From highest to lowest, the settings
    apply in the following order of precedence: OU, domain, site, and local
    computer. Am I total missing your question? If so, I apologize. If this
    explanation is not what you are looking for; let me know where we are in
    the conversation now and I will try to fill in the blanks for you.

    --
    Michael D. Alligood
    MCSA, MCDST, MCP, A+,
    Network+, i-Net+, CIW Assoc.,
    CIW Certified Instructor



    "Keith Chilton" <> wrote in
    message news::

    > i'm really a novice to it all i need some guidance on it.... from square one
    > ... we do have our domain users set so that the passwords have to have
    > requirements and stuff like that..
    >
    > "Jonathan Roberts" <> wrote in message
    > news:...
    > > Keith Chilton wrote:
    > >> We use the Domain Security Policy rules to govern password requirements
    > >> and such but I would like to use the Group Policy Console to be much more
    > >> restrictive to the end user. I don't think there are any organizational
    > >> units defined on it yet.

    > >
    > > It sounds to me like you didn't apply the GP to your domain/objects?
     
    Michael D. Alligood, Nov 28, 2006
    #10
  11. Keith Chilton wrote:
    > i'm really a novice to it all i need some guidance on it.... from square one
    > ... we do have our domain users set so that the passwords have to have
    > requirements and stuff like that..
    >
    > "Jonathan Roberts" <> wrote in message
    > news:...
    >> Keith Chilton wrote:
    >>> We use the Domain Security Policy rules to govern password requirements
    >>> and such but I would like to use the Group Policy Console to be much more
    >>> restrictive to the end user. I don't think there are any organizational
    >>> units defined on it yet.

    >> It sounds to me like you didn't apply the GP to your domain/objects?

    >
    >


    From the OU needing the GP applied, click on Group Policy. Then choose
    New or Edit.
     
    Jonathan Roberts, Nov 28, 2006
    #11
  12. Keith Chilton

    DD Guest

    First, this is a great question Jonathan. After reading your question, I
    realized I could really improve my understanding of all of this. I also agree
    with Michael that the posts were confusing me. I did some research and would
    like to post some links and then I have a question.

    On this link I found the following helpful info:

    http://www.microsoft.com/windowsserver2003/community/centers/security/security_faq.mspx
    "Q. What's the difference between Local Security Policy, Domain Controller
    Security Policy, and Domain Security Policy?

    A. Local Security Policy affects only that computer. Domain Controller
    Security Policy affects only domain controllers in that domain. Domain
    Security Policy affects all computers in the domain. Domain Controller
    Security Policy settings take precedence over Domain Security Policy
    settings."

    I also found this link to be helpful

    http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c05621675.mspx

    "“Group Policy†refers to policy that relies on a hierarchical targeting
    mechanism based on Active Directory. Group Policy does not include the local
    Group Policy object (LGPO), which is specific to each computer rather than to
    objects in Active Directory. Because LGPOs cannot be managed through Active
    Directory, they must instead be managed on each computer."

    My question then is: Let's say I want to set a policy that passwords must be
    changed every 90 days and I have one domain and an active directory. If I
    want to set it for everyone on the entire domain, I would use domain security
    policy. If I only wanted it to apply to half of the groups on the domain, I
    would use group policy from Active Directory. And, if I had a stand alone
    computer that had 4 users and I only wanted it to apply to 2 users, then I
    would use Local security Policy. Is this correct?

    Thanks in advance.

    DD









    "Michael D. Alligood" wrote:

    > Keith, I am trying to following this conversation but I am having issues
    > doing so. So lets go back to the beginning of this thread and start
    > there. Because a computer can have more than one GPO applied to it,
    > security settings can conflict. From highest to lowest, the settings
    > apply in the following order of precedence: OU, domain, site, and local
    > computer. Am I total missing your question? If so, I apologize. If this
    > explanation is not what you are looking for; let me know where we are in
    > the conversation now and I will try to fill in the blanks for you.
    >
    > --
    > Michael D. Alligood
    > MCSA, MCDST, MCP, A+,
    > Network+, i-Net+, CIW Assoc.,
    > CIW Certified Instructor
    >
    >
    >
    > "Keith Chilton" <> wrote in
    > message news::
    >
    > > i'm really a novice to it all i need some guidance on it.... from square one
    > > ... we do have our domain users set so that the passwords have to have
    > > requirements and stuff like that..
    > >
    > > "Jonathan Roberts" <> wrote in message
    > > news:...
    > > > Keith Chilton wrote:
    > > >> We use the Domain Security Policy rules to govern password requirements
    > > >> and such but I would like to use the Group Policy Console to be much more
    > > >> restrictive to the end user. I don't think there are any organizational
    > > >> units defined on it yet.
    > > >
    > > > It sounds to me like you didn't apply the GP to your domain/objects?

    >
    >
     
    DD, Nov 28, 2006
    #12
  13. DD wrote:
    > First, this is a great question Jonathan. After reading your question, I
    > realized I could really improve my understanding of all of this. I also agree
    > with Michael that the posts were confusing me. I did some research and would
    > like to post some links and then I have a question.
    >
    > On this link I found the following helpful info:
    >
    > http://www.microsoft.com/windowsserver2003/community/centers/security/security_faq.mspx
    > "Q. What's the difference between Local Security Policy, Domain Controller
    > Security Policy, and Domain Security Policy?
    >
    > A. Local Security Policy affects only that computer. Domain Controller
    > Security Policy affects only domain controllers in that domain. Domain
    > Security Policy affects all computers in the domain. Domain Controller
    > Security Policy settings take precedence over Domain Security Policy
    > settings."
    >
    > I also found this link to be helpful
    >
    > http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c05621675.mspx
    >
    > ""Group Policy" refers to policy that relies on a hierarchical targeting
    > mechanism based on Active Directory. Group Policy does not include the local
    > Group Policy object (LGPO), which is specific to each computer rather than to
    > objects in Active Directory. Because LGPOs cannot be managed through Active
    > Directory, they must instead be managed on each computer."
    >
    > My question then is: Let's say I want to set a policy that passwords must be
    > changed every 90 days and I have one domain and an active directory. If I
    > want to set it for everyone on the entire domain, I would use domain security
    > policy. If I only wanted it to apply to half of the groups on the domain, I
    > would use group policy from Active Directory. And, if I had a stand alone
    > computer that had 4 users and I only wanted it to apply to 2 users, then I
    > would use Local security Policy. Is this correct?
    >
    > Thanks in advance.
    >
    > DD


    DD:

    Thanks for the link. They are helpful to me as well! You seem to be
    correct from what I know. I should say though that I am not an expert
    with AD (proficient at best). Perhaps, Michael or Montreal could
    answer definitively?

    Jonathan
     
    Jonathan Roberts, Nov 28, 2006
    #13
  14. I found DD's links and elaboration helpful. Thanks DD!

    I think I need to focus on more things not related to the domain and active
    directory though because the test is on Monday! I don't think this stuff
    will be there honestly!!!

    "DD" <> wrote in message
    news:...
    > First, this is a great question Jonathan. After reading your question, I
    > realized I could really improve my understanding of all of this. I also
    > agree
    > with Michael that the posts were confusing me. I did some research and
    > would
    > like to post some links and then I have a question.
    >
    > On this link I found the following helpful info:
    >
    > http://www.microsoft.com/windowsserver2003/community/centers/security/security_faq.mspx
    > "Q. What's the difference between Local Security Policy, Domain Controller
    > Security Policy, and Domain Security Policy?
    >
    > A. Local Security Policy affects only that computer. Domain Controller
    > Security Policy affects only domain controllers in that domain. Domain
    > Security Policy affects all computers in the domain. Domain Controller
    > Security Policy settings take precedence over Domain Security Policy
    > settings."
    >
    > I also found this link to be helpful
    >
    > http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c05621675.mspx
    >
    > ""Group Policy" refers to policy that relies on a hierarchical targeting
    > mechanism based on Active Directory. Group Policy does not include the
    > local
    > Group Policy object (LGPO), which is specific to each computer rather than
    > to
    > objects in Active Directory. Because LGPOs cannot be managed through
    > Active
    > Directory, they must instead be managed on each computer."
    >
    > My question then is: Let's say I want to set a policy that passwords must
    > be
    > changed every 90 days and I have one domain and an active directory. If I
    > want to set it for everyone on the entire domain, I would use domain
    > security
    > policy. If I only wanted it to apply to half of the groups on the domain,
    > I
    > would use group policy from Active Directory. And, if I had a stand alone
    > computer that had 4 users and I only wanted it to apply to 2 users, then I
    > would use Local security Policy. Is this correct?
    >
    > Thanks in advance.
    >
    > DD
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > "Michael D. Alligood" wrote:
    >
    >> Keith, I am trying to following this conversation but I am having issues
    >> doing so. So lets go back to the beginning of this thread and start
    >> there. Because a computer can have more than one GPO applied to it,
    >> security settings can conflict. From highest to lowest, the settings
    >> apply in the following order of precedence: OU, domain, site, and local
    >> computer. Am I total missing your question? If so, I apologize. If this
    >> explanation is not what you are looking for; let me know where we are in
    >> the conversation now and I will try to fill in the blanks for you.
    >>
    >> --
    >> Michael D. Alligood
    >> MCSA, MCDST, MCP, A+,
    >> Network+, i-Net+, CIW Assoc.,
    >> CIW Certified Instructor
    >>
    >>
    >>
    >> "Keith Chilton" <> wrote in
    >> message news::
    >>
    >> > i'm really a novice to it all i need some guidance on it.... from
    >> > square one
    >> > ... we do have our domain users set so that the passwords have to have
    >> > requirements and stuff like that..
    >> >
    >> > "Jonathan Roberts" <> wrote in message
    >> > news:...
    >> > > Keith Chilton wrote:
    >> > >> We use the Domain Security Policy rules to govern password
    >> > >> requirements
    >> > >> and such but I would like to use the Group Policy Console to be much
    >> > >> more
    >> > >> restrictive to the end user. I don't think there are any
    >> > >> organizational
    >> > >> units defined on it yet.
    >> > >
    >> > > It sounds to me like you didn't apply the GP to your domain/objects?

    >>
    >>
     
    Keith Chilton, Nov 28, 2006
    #14
  15. I brought it up. Eventually I want to become a lot more knowledgeable about
    the whole process. Thought I'd see if I could find some good contacts in
    here and some resource links to go off of when I'm done with this exam

    Thanks!

    "Jonathan Roberts" <> wrote in message
    news:%...
    > Keith Chilton wrote:
    >> I found DD's links and elaboration helpful. Thanks DD!
    >>
    >> I think I need to focus on more things not related to the domain and
    >> active directory though because the test is on Monday! I don't think this
    >> stuff will be there honestly!!!

    >
    > I was wondering about that too... Are these GPO and AD topics really
    > covered in this exam? It seems strange to me that anything more than a
    > light sprinkling would be on this exam.
     
    Keith Chilton, Nov 28, 2006
    #15
  16. Keith Chilton wrote:
    > I found DD's links and elaboration helpful. Thanks DD!
    >
    > I think I need to focus on more things not related to the domain and active
    > directory though because the test is on Monday! I don't think this stuff
    > will be there honestly!!!


    I was wondering about that too... Are these GPO and AD topics really
    covered in this exam? It seems strange to me that anything more than a
    light sprinkling would be on this exam.
     
    Jonathan Roberts, Nov 28, 2006
    #16
  17. Keith Chilton wrote:
    > I brought it up. Eventually I want to become a lot more knowledgeable about
    > the whole process. Thought I'd see if I could find some good contacts in
    > here and some resource links to go off of when I'm done with this exam
    >
    > Thanks!
    >
    > "Jonathan Roberts" <> wrote in message
    > news:%...
    >> Keith Chilton wrote:
    >>> I found DD's links and elaboration helpful. Thanks DD!
    >>>
    >>> I think I need to focus on more things not related to the domain and
    >>> active directory though because the test is on Monday! I don't think this
    >>> stuff will be there honestly!!!

    >> I was wondering about that too... Are these GPO and AD topics really
    >> covered in this exam? It seems strange to me that anything more than a
    >> light sprinkling would be on this exam.

    >
    >


    Gotcha -- good luck by the way!
     
    Jonathan Roberts, Nov 29, 2006
    #17
  18. You guys do not need to be concerned with the GPO/AD thing right now :)
    That is endless nights of studying for your MCSA/MCSE certification.
    Concentrate on the skills measured for the 2 MCDST tests listed here:

    http://www.microsoft.com/learning/exams/70-271.asp#SKILLS
    http://www.microsoft.com/learning/exams/70-272.asp#SKILLS

    Don't over think, just go in there and own these tests.

    --
    Michael D. Alligood
    MCSA, MCDST, MCP, A+,
    Network+, i-Net+, CIW Assoc.,
    CIW Certified Instructor



    "Jonathan Roberts" <> wrote in message
    news:O#:

    > Keith Chilton wrote:
    > > I brought it up. Eventually I want to become a lot more knowledgeable about
    > > the whole process. Thought I'd see if I could find some good contacts in
    > > here and some resource links to go off of when I'm done with this exam
    > >
    > > Thanks!
    > >
    > > "Jonathan Roberts" <> wrote in message
    > > news:%...
    > >> Keith Chilton wrote:
    > >>> I found DD's links and elaboration helpful. Thanks DD!
    > >>>
    > >>> I think I need to focus on more things not related to the domain and
    > >>> active directory though because the test is on Monday! I don't think this
    > >>> stuff will be there honestly!!!
    > >> I was wondering about that too... Are these GPO and AD topics really
    > >> covered in this exam? It seems strange to me that anything more than a
    > >> light sprinkling would be on this exam.

    > >
    > >

    >
    > Gotcha -- good luck by the way!
     
    Michael D. Alligood, Nov 29, 2006
    #18
  19. Keith Chilton, Dec 4, 2006
    #19
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. barret bonden

    access range ? Via object group ?

    barret bonden, Sep 24, 2004, in forum: Cisco
    Replies:
    1
    Views:
    554
    Walter Roberson
    Sep 24, 2004
  2. Replies:
    0
    Views:
    404
  3. Ed Ruf
    Replies:
    1
    Views:
    486
    Anonymous
    Aug 28, 2004
  4. =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?=

    Group policy with no group

    =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?=, Mar 15, 2007, in forum: Wireless Networking
    Replies:
    1
    Views:
    515
    Jack \(MVP-Networking\).
    Mar 15, 2007
  5. Chris's Group

    Group Policy Object Editing

    Chris's Group, Mar 22, 2006, in forum: Windows 64bit
    Replies:
    5
    Views:
    1,958
    Chris's Group
    Mar 23, 2006
Loading...

Share This Page