Local Policy / Group Policy

With 300 machines you are going to have to use GPO and not local policies. The scope is just way too large for going to each machine and doing the configAs for where and when to use Computer vs User GPO's, that's totally up to youYou should read the below:Computer Configuration in Group PolicyUser Configuration in Group PolicyWhat policies to apply will be in the scope of the desktop hardening so you will have to do your searches on that. Typically hardening would include security settings or some sort which will include password complexity, length and expiration right down to stopping the installation of executables on a machine.These policies will be different in each environment so you will have to do some homework about what GPO's need to be applied

Hi Spiceheads,
I have a question regarding local policy and group policy.
I received a workstation hardening procedure but I need to apply this settings for 300 computers can I use group policy instead of local policy? if yes how and what option I need to select Computer Configuration of User Configuration?
All 300 computers are connected to the same Domain.
Thank you.
This topic first appeared in the Spiceworks Community

Similar Messages

  • Remote user received a "deny log on locally" policy - and is now locked out

    Hello,
    A traveling user who received a "deny log on locally" policy remotely.
    He was accidentally added to a wrong group and is now locked out. 
    What are the steps to clear this policy?  We have a backup local admin account I can remote into.
    I appreciate any suggestions or comments. 

    > What are the steps to clear this policy?  We have a backup local admin
    > account I can remote into.
    Resolve the wrong setting, remote into the machine and issue "gpupdate
    /target:computer". Reboot and go ahead :)
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • Local policy for 8.1 Tablet lock screen behaviour

    We've just loaded our corporate SOE onto a couple of different Windows tablets. An Acer and a Surface Pro 3. Now by default it seems to activate a default lock screen behaviour of having to hold the windows button and press the power button to unlock the
    device. We didn't set this, it seems to kick in automatically. Now the problem is that this works on the Acer and not the SP3. I'd like the lock screen behaviour to revert back to the default, which is to swipe up to unveil the login box. However, I can't
    seem to find the local policy or registry setting to do this. Any ideas?

    This is not a MDT issue. There is something Group Policy or somewhere else (VPN software). that is forcing Windows to act this way.
    Keith Garner - Principal Consultant [owner] -
    http://DeploymentLive.com

  • My SCCM 2012 server is listed in the Windows updates local policy

    On my end user computers Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Updates > Specify intranet Microsoft update service location
    Does it specify your Primary Site server? YES
    Endpoint Protection leverages the software update component of ConfigMgr for delivery of definitions. This local Windows Updates policy was created when you configured this component. 
    1. How do I disable this local Windows Updates policy in SCCM ?  Thanks

    The client will set these local policy settings if your Client Settings are set to manage software updates and you don't have a group policy in place.
    If you do NOT want ConfigMgr to control updates, then you can go to Client Settings > Software Updates and change "Enable software updates on clients" to No.
    Nash Pherson, Senior Systems Consultant
    Now Micro -
    My Blog Posts
    If you've found a bug or want the product worked differently,
    share your feedback.
    <-- If this post was helpful, please click "Vote as Helpful".

  • Local policy-map in IOS-XR

    We are migrating an IOS based PE to ASR9K with XR4.2. Customer has a local policy-map to match SNMP, telnet packets generaing from router and set Precedence value 3.
    ip access-list extended MGMT
    permit tcp any any eq telnet
    permit udp any any eq snmp
    route-map MARK permit 10
    match ip address MGMT
    set ip precedence flash
    ip local policy route-map MARK
    With ABF we can only set next-hop. Any other way we can do this in XR?
    Thanks,

    Thanks Maxime, but actually I have few more traffic in the same class like syslog, ntp, tacacs.  Not all are supported with this direct marking..
    ipv4 access-list MGMT
    10 permit tcp any any eq telnet
    20 permit udp any any eq snmp
    30 permit udp any any eq snmptrap
    40 permit udp any any eq ntp
    50 permit udp any any eq syslog
    60 permit tcp any any eq ssh
    70 permit tcp any any eq tacacs

  • Local policy route-map for policy route

    Hi 
    this is related my previous question:
    I want to set policy route on asr1004, that redirect vpn traffic. 
    my case is:
      asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
    assume internal traffic 10.10.10.0/24 coming into asr1004 on int 1.
    assume vpn with ip address 10.2.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.2.2.1
    assume taget network is 10.200.200.0/24
    I want internal traffic (10.10.10.0/24) go to target (10.200.200.0/24)  to be redirect to10.2.2.2 (vpn)  first, so I add  "ip route 10.200.200.0/24 10.2.2.2" on asr1004.
    Than, I want vpn (10.2.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
    ip local policy route-map vpn-out
    access-list 100 permit ip 10.2.2.2 any
    route-map vpn-out permit 10
      match ip address 100
      set ip next-hop 10.100.100.100
    if not, do I have any change to do policy route for this case?
    any comment will be appreciated
    Thanks in advance
    Julxu

    hi Jon
    can I refresh the question again:
    my case is:
      asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
    assume internal traffic 10.10.0.0/16 coming into asr1004 on int 1 with ip address 10.3.3.3
    assume vpn with ip address 10.10.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.10.2.1
    assume taget network is 10.200.200.0/24
    I want internal traffic (10.10.0.0/16) go to target (10.200.200.0/24)  to be redirect to10.10.2.2 (vpn)  first, so I add  "ip route 10.200.200.0/24 10.10.2.2" on asr1004.
    Than, I want vpn (10.10.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
    ip local policy route-map vpn-out
    access-list 100 permit ip 10.10.2.2 any
    route-map vpn-out permit 10
      match ip address 100
      set ip next-hop 10.100.100.100
    such as:
    interface TenGigabitEthernet0/0/0
     description bgp to get default
     ip address 10.100.100.100 255.255.255.252
     no ip redirects
     no ip unreachables
     no ip proxy-arp
    interface TenGigabitEthernet0/1/0
     description get internaltraffic
     ip address 10.3.3.3 255.255.255.0
     no ip redirects
     no ip unreachables
     no ip proxy-arp
    interface GigabitEthernet0/2/1
     description vpn
     ip address 10.10.2.1 255.255.255.248
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     media-type rj45
     negotiation auto
    ip local policy route-map vpn-out
    access-list 100 permit ip 10.10.2.2 any
    route-map vpn-out permit 10
      match ip address 100
      set ip next-hop 10.100.100.100
    ip route 10.200.200.0/24 10.10.2.2
    Could you please advise if it is correct?

  • Unable to login Windows Server 2012 after making local policy changes

    Experts, we have modified the local policy setting on the windows server 2012 and badly it was domain controller now none of the users are able to login to the server. After entering the user name and password it will launch till welcome screen then it errors
    out saying user name or password incorrect. below are the steps which we followed
    1. Policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options \Network security: Configure encryption types allowed for Kerberos values change from Not Configured to DES_CBC_MD5
    2. changed user attribute msDS-SupprtdEncryptionTypes to 2 , this account we were used for kerberos authentication. 
    3. Logged off from the server and then server doesn't allow any user to login.
    regards,
    Jakk 

    Have you tried connecting to the server from a 2nd DC? Have you tried installing the RSAT tools on a domain member server and modify the offending policy ?
    last choice would be restart the DC into safe mode. 

  • Ip local policy - DMVPN head-end router

    hey guys,
         On my DMVPN head-end router (3845 - running 151-4.M2) , I'm learning a default route from the internal core that I want the remote spoke to learn via EIGRP (internet access is via tunnel and thru head-end f/w's).  And to avoid having a static route configured for the remote public IP pointing to the internet router, I've tried using a local policy to set the next hop for all VPN traffic from the router to be the internet router.  However, when I remove the static to the remote, I lose the remote peer and it seems the local policy is not engaged.  Any help would be appreciated..
    interface Loopback0
    ip address 10.103.255.1 255.255.255.255
    interface Tunnel10
    bandwidth 10000
    ip address 10.103.254.1 255.255.255.0
    no ip redirects
    ip mtu 1400
    no ip next-hop-self eigrp 1
    ip nhrp authentication xxx
    ip nhrp map multicast dynamic
    ip nhrp network-id 100
    ip nhrp holdtime 600
    ip nhrp redirect
    ip tcp adjust-mss 1360
    no ip split-horizon eigrp 1
    tunnel source GigabitEthernet0/1
    tunnel mode gre multipoint
    tunnel key 1234
    tunnel protection ipsec profile DMVPN-PROFILE
    interface GigabitEthernet0/0
    description Routed link to Core
    ip address 10.100.160.105 255.255.255.252
    duplex auto
    speed auto
    media-type rj45
    interface GigabitEthernet0/1
    description Link to External segment
    ip address 1.1.1.4 255.255.255.0
    duplex auto
    speed auto
    media-type rj45
    router eigrp 1
    network 10.100.160.104 0.0.0.3
    network 10.103.254.0 0.0.0.255
    network 10.103.255.1 0.0.0.0
    passive-interface default
    no passive-interface Tunnel10
    no passive-interface GigabitEthernet0/0
    eigrp router-id 10.103.255.1
    ip access-list extended vpn-traffic
    permit esp any any
    permit udp any any eq isakmp
    permit udp any any eq non500-isakmp
    route-map vpn-default permit 10
    description Default route to Internet for encrypted traffic
    match ip address vpn-traffic
    set ip next-hop 1.1.1.2
    ip local policy route-map vpn-default

    Dave,
    I think let's do the reasonable thing here and separate termination and tunneled traffic into VRFs (VRF-lite).
    You can put gig0/1 into one VRF and leave everything else in global (remember to add "tunnel vrf ..." on tunnel interface.
    Result - separation of overlay and transport - you can have two default routes, one for connectivity to spokes, one for traffic to be passed over tunnel.
    Marcin

  • Windows Local Policy - which settings get uploaded?

    A quick question on expected behaviour when configuring local policies - does ZCM capture all settings from the gpedit.msc on the machine being captured or is it only the changes?
    e.g. if the machine being used has UAC enabled in its local policy store and I use that machine to configure a completely different setting e.g. Windows Updates, when uploading to the server will the uploaded bundle include all the defaults from the machine (i.e. the UAC setting etc)?

    gshaw0 wrote:
    >
    > A quick question on expected behaviour when configuring local
    > policies - does ZCM capture all settings from the gpedit.msc on the
    > machine being captured or is it only the changes?
    >
    > e.g. if the machine being used has UAC enabled in its local policy
    > store and I use that machine to configure a completely different
    > setting e.g. Windows Updates, when uploading to the server will the
    > uploaded bundle include all the defaults from the machine (i.e. the
    > UAC setting etc)?
    I would say it does not - but I could be wrong. I believe I've done a
    hold set of different local ploicies from the same computer so if it
    was to import all the settings they would all be the same policy...
    Niels
    A true red devil...

  • Find workstations with specific group in local administrators group

    Hello,
    Is there a simple script that will search the workstations in a domain looking for the existence of a specific domain group nested in the local administrators group ?  Our desktop group can up with the idea of using domain groups nested in the local
    admin group to grant administrator privileges to specific computers.  They can list the members of the domain group easily but they have no easy way to know on what workstations they have added the group to.  Output I am looking for is simply a list
    of computers that have the specific group in the administrators group.   Any advice would be appreciated.
    Bobby

    Thisis donethrough Group Policy.  It is a special aspect of gP to set and mamintain groups on local machines.  You can protect a machine fromchanges and allow users to be added and removed.
    If you are just look ing to list tehcontents o a local group then get the module "Local Administration" in the Repository. It has all of the tools you need.
    You can also use WMI to retrieve Group memmbership.
    ¯\_(ツ)_/¯

  • "Unable to update local resource group" error

    Hello,
    I'm having a problem updating one of my local resource groups in RD Gateway Manager.
    We're on 2008 R2 SP1, and have a gateway in between us and another company. When a user needs to access their computer in the other company, we add the machine to the local group, and the account the AD RAP group, it works fine.
    However, every couple of weeks, it will not allow me to update the local resource group for computers. I receive the error "WMI Failure: Unable to update local resource group" ..and apparently google cannot find another instance of this error happening -
    no results at all - very odd. So the normal fix is to just recreate the RAP.xml file, then add the machines in again, but this is not a good enough fix long term, plus it misses the machines that are switch off when i recreate.
    Also - this will be logged in eventvwr TerminalServices-Gateway  
    "The resource group "MY GROUP NAME" could not be updated. The following error occurred: "23106". To resolve this issue, ensure that you have configured resource group settings correctly and set the correct value and permissions for the RAP.xml file and the
    RAPStore registry key."
    Google also cannot find anything for that error, OR that 23106 error code - I cannot get results no matter what I do. It cannot be permissions as I've checked them, and it works for a bit. I've ran the WMI diagnostics, and they're fine, no different to any
    other server in the environment. 
    I've also checked these forums and there is nothing on there. Does anyone know the relevance of that error code, or where I can check it out?
    Cheers,
    Jon

    I can confirm ..MPIN..'s solution fixes it.
    I had the exact same problem; I'd recently added a new server, and stopped the old server before decomissioning.  Adding the new serer to the TS RAP policy server didn't work and generated the OP's error.
    I removed the old server name (which was not pingable) and the group COULD be updated.
    Really crappy error handling - this is a defect and should be fixed.  A proper error would say "Not all machines in this group are valid, please remove the invalid entries" OR simply allow 'ok' without double checking (after all, the names are checked
    when adding).
    So often we accept shoddy software by proposing work arounds as 'the fix'.  The actual fix is to fix the software to be more descriptive and/or handle errors more gracefully.
    == John ==

  • LDAP Query for particular user account in local Administrators group on All Enabled Computer Accounts

    Need to query on all enabled computer accounts that have a particular user account present in the local Administrators group.
    Ldap query is best, because not all our machines have SCCM client
    Thanks for any help you can provide. Lisa

    Ya, I have 41800+ computer accounts in my directory. I think that option is not feasible :) Thanks for your reply.
    I can use SCCM to do this too, but only for those that the client is running on and which are online. Thanks again.
    Hope is not all lost; a scripting solution is still possible.  The difference is instead of running a central script to pull info from all computers, you let the computers report back to you with the info.
    If I were you, I'd do the following:
    1) Create a file share and adjust the permissions so that "Domain Computers" have "Modify" Permissions.
    2) Create a script similar to the 2nd link I posted above, with a bit of adjustment:  at the end of the script, write the information to the file share created in (1), and name the file
    ComputerName.txt
    3) Use Group Policy Preference Scheduled Task to deploy the script, and make sure it only runs once.
    4) Happily wait for the results to come back :)
    The main benefit of this approach is you're not restricted by the computer connectivity at the moment you run the script.  This is especially true if you have many mobile computers in your environment.  Just wait for a reasonable time (they all need
    to come back to the mother ship once a while don't they?) and the results will show up in the file share you created.
    Cheers.

  • Can not add Domain User to Local Admin Group Win8.1

    Hello, 
    I am trying to add a domain user to the local admin account on a Win8.1 Enterprise computer. When I click the check name button it asks me to enter network credentials even though I am signed in to the computer with a domain admin account. When I try to
    type in any of my domain admin accounts it says "The Username or Password is incorrect". Even though I used that same account to login with. I can successfully ping all 3 of my DCs from the computer and have tried putting my second DC as the primary
    DNS and my third DC as the primary DC and same problem. I have checked for Active Directory errors on the DC and everything says it is running fine on the DC in server manager. I have this problem on multiple computers. Some of the computers it will work on
    but 90% of them it won't allow me to add the local user to the local admin group. 
    DCs are running Win Server 2008 R2 Enterprise. 
    Any help would be greatly appreciated. 
    Thank You

    I would suggest you to use Restricted Group(via GPO) to add domain users/group to a local admins group 
    1)Create a new group in Active Driectory
    Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
    2.
    Create a new GPO
    Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
    3.
    Edit the newly created GPO
    Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups
    4.
    Add your new Active Directory group to the Restricted Group
    Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"
    5.
    Add the Restricted Group to the local administrator group
    In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"
    6.
    Wait for GPO updates to apply to the workstations
    Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation,
    run "gpupdate /force" in a command window on that workstation.
    7.
    Add a user or group of users to the Active Directory Restricted Group
    When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management
    Console.

  • Adding users in Local Administrators Group using GP Restricted Group

    Hi Experts.
    I have approx 200 servers. There are user1, user2 and user3 which I have added in
    Local Administrators Group using GP Restricted Group in all 200 servers. This works fine. In Add Group option I added "Administrator" and Added user1, user2 and user3 in "Members of this Group". Now all 3 users are reflected as a Local
    Administrators member.
    Now there is a need that user 4 should be in Local Administrators Group using GP Restricted Group for certain servers only. Lets say 50.
    In Add Group option I added "Administrator" and Added user4 in "Members of this Group". BUT it doesn't work.
    Any idea?
    Regards Suman B. Singh

    Hi,
    How is it going? I agree with Martin. To do this, we can configure the setting in two different GPOs. For instance, in GPO1, we add user1, user2, and user3 to the local admin group; in GPO2, we add user1, user2, user3, and user4 to the local admin group;
    and then we can use Security Filtering to apply the specific GPOs to specific computers.
    Regarding security filtering, the following article can be referred to for more information.
    Security filtering using GPMC
    https://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
    Filter Using Security Groups
    https://technet.microsoft.com/en-us/library/cc752992.aspx
    Besides, in addition to Restricted Groups, we can also use Group Policy Preferences Local Users and Groups to do this, in which way we can configure two Local Group items in one GPO and utilize Item-Level Targeting to apply the specific items to specific
    computers.
    Regarding GPP Local Users and Groups, the following article can be referred to for more information.
    Configure a Local Group Item
    https://technet.microsoft.com/en-us/library/cc732525.aspx
    How to use Group Policy Preferences to Secure Local Administrator Groups
    http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
    Regarding Item-Level Targeting, the following article can be referred to for more information.
    Preference Item-Level Targeting
    https://msdn.microsoft.com/en-us/library/cc733022.aspx
    Best regards,
    Frank Shen

  • SCCM 2012 - How to add domain id to local administrator group of all clients

    SCCM 2012 - How to add domain id to local administrator group of all clients
    Hi,
    i have a domain id sccmadmin which is a part of domain admins group too.
    Need to add this ID to the local administrators group of all clients. How do I do this? Please help!

    Hi ,
    you need to choose the second option .
    First option will remove all the domains users from the local administrator group available in all the PC'S .Then local administrator group will only have the users updated on the members list present in group policy.
    Note : Local admins accounts on the local administrators groups will not be removed.
    Second option will add the newly created group to the local administrator group in all the PC'S and it will not remove the existing members in the local administrators group.
    Step 1 : Just try to create one new group for SCCM management .
    Step 2 : Then add the SCCM account to that group.
    Step 3 : Then please create a new group policy on that just choose the second option.On that option just add the newly created group to be an member of administrator group in all the PC'S
    Why i have asked you to create a new group ?
    Because in second option , we don't have a option to add a individual user .
    Once you have created a group policy it will like below snap.
    As an additional i will tell how to find the newly created group policy is applying to computer objects or not ans also i will tell you how to force update the group policy 
    1.gpresult /r ----> To find the which group policy is applying on user and computer object .
    2.rsop.msc ----> There you can able to find the change has been applied or not .
    3.gpupdate /force -----> Forcefully updating the group policy in a client machine 
    4.In gpmc.msc there is one option called group policy results .That option will be used for centralized management to find the policies that are applied to a user and computer account.
    5.Just check the event viewer in all the PC'S for group policy related events.
    Most importantly you need to make sure all the computer accounts are placed in an ou ,where the newly created group policy is applying and also make sure that OU doesn't contain any inheritance block.
    Please feel free to reply me if you have any queries.
    Thanks & Regards S.Nithyanandham

Maybe you are looking for

  • Error msg: apple mobile device failed to start.

    I just bought an iTouch and I've been trying to install iTunes for the past 2 days. I'm using Windows Vista and I am installing the 64-bit version. I've attempted all of the fixes I've found on Windows, Google, etc. I am the administrator but nothing

  • Blog Creation in Dreamweaver

    We have Dreamweaver Version 8. Is it possible to set up a weblog within our Dreamweaver based website? We would like have a link to the blog placed next to the other links already set up for our site. Thanks for the information

  • How to configure SOAMANGER in SAP

    Hi Friends , I am want to call external services from SAP. To achieve this  I have to configure using transaction SOAMANAGER. When I run this transaction  I am getting an error message . This page can't be displayed Make sure the web address http://p

  • How to update from OS X 10.2.8 to OS X 10.5.6?

    Hello, I have an older Power Mac G4 Quicksilver 933MHz - 768MB - 60GB, running OS X 10.2.8. I just perchased Leopard OS X 10.5.6 from MacMall to update the G4. Is there anything special I have to do to install the new OS X 10.5.6? Regards, Greg

  • Appworld not working

    Hiya xx Everytime I go on my appworld It says ' blackberry identidy update is need , would u like to install it now and I click yes then its comes up a load bar and goes until its at 100 then it comes up ' blackberry identity installation failed plea