Local Policy / Group Policy
With 300 machines you are going to have to use GPO and not local policies. The scope is just way too large for going to each machine and doing the configAs for where and when to use Computer vs User GPO's, that's totally up to youYou should read the below:Computer Configuration in Group PolicyUser Configuration in Group PolicyWhat policies to apply will be in the scope of the desktop hardening so you will have to do your searches on that. Typically hardening would include security settings or some sort which will include password complexity, length and expiration right down to stopping the installation of executables on a machine.These policies will be different in each environment so you will have to do some homework about what GPO's need to be applied
Hi Spiceheads,
I have a question regarding local policy and group policy.
I received a workstation hardening procedure but I need to apply this settings for 300 computers can I use group policy instead of local policy? if yes how and what option I need to select Computer Configuration of User Configuration?
All 300 computers are connected to the same Domain.
Thank you.
This topic first appeared in the Spiceworks Community
Similar Messages
-
Remote user received a "deny log on locally" policy - and is now locked out
Hello,
A traveling user who received a "deny log on locally" policy remotely.
He was accidentally added to a wrong group and is now locked out.
What are the steps to clear this policy? We have a backup local admin account I can remote into.
I appreciate any suggestions or comments.> What are the steps to clear this policy? We have a backup local admin
> account I can remote into.
Resolve the wrong setting, remote into the machine and issue "gpupdate
/target:computer". Reboot and go ahead :)
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Local policy for 8.1 Tablet lock screen behaviour
We've just loaded our corporate SOE onto a couple of different Windows tablets. An Acer and a Surface Pro 3. Now by default it seems to activate a default lock screen behaviour of having to hold the windows button and press the power button to unlock the
device. We didn't set this, it seems to kick in automatically. Now the problem is that this works on the Acer and not the SP3. I'd like the lock screen behaviour to revert back to the default, which is to swipe up to unveil the login box. However, I can't
seem to find the local policy or registry setting to do this. Any ideas?This is not a MDT issue. There is something Group Policy or somewhere else (VPN software). that is forcing Windows to act this way.
Keith Garner - Principal Consultant [owner] -
http://DeploymentLive.com -
My SCCM 2012 server is listed in the Windows updates local policy
On my end user computers Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Updates > Specify intranet Microsoft update service location
Does it specify your Primary Site server? YES
Endpoint Protection leverages the software update component of ConfigMgr for delivery of definitions. This local Windows Updates policy was created when you configured this component.
1. How do I disable this local Windows Updates policy in SCCM ? ThanksThe client will set these local policy settings if your Client Settings are set to manage software updates and you don't have a group policy in place.
If you do NOT want ConfigMgr to control updates, then you can go to Client Settings > Software Updates and change "Enable software updates on clients" to No.
Nash Pherson, Senior Systems Consultant
Now Micro -
My Blog Posts
If you've found a bug or want the product worked differently,
share your feedback.
<-- If this post was helpful, please click "Vote as Helpful". -
We are migrating an IOS based PE to ASR9K with XR4.2. Customer has a local policy-map to match SNMP, telnet packets generaing from router and set Precedence value 3.
ip access-list extended MGMT
permit tcp any any eq telnet
permit udp any any eq snmp
route-map MARK permit 10
match ip address MGMT
set ip precedence flash
ip local policy route-map MARK
With ABF we can only set next-hop. Any other way we can do this in XR?
Thanks,Thanks Maxime, but actually I have few more traffic in the same class like syslog, ntp, tacacs. Not all are supported with this direct marking..
ipv4 access-list MGMT
10 permit tcp any any eq telnet
20 permit udp any any eq snmp
30 permit udp any any eq snmptrap
40 permit udp any any eq ntp
50 permit udp any any eq syslog
60 permit tcp any any eq ssh
70 permit tcp any any eq tacacs -
Local policy route-map for policy route
Hi
this is related my previous question:
I want to set policy route on asr1004, that redirect vpn traffic.
my case is:
asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
assume internal traffic 10.10.10.0/24 coming into asr1004 on int 1.
assume vpn with ip address 10.2.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.2.2.1
assume taget network is 10.200.200.0/24
I want internal traffic (10.10.10.0/24) go to target (10.200.200.0/24) to be redirect to10.2.2.2 (vpn) first, so I add "ip route 10.200.200.0/24 10.2.2.2" on asr1004.
Than, I want vpn (10.2.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
ip local policy route-map vpn-out
access-list 100 permit ip 10.2.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
if not, do I have any change to do policy route for this case?
any comment will be appreciated
Thanks in advance
Julxuhi Jon
can I refresh the question again:
my case is:
asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
assume internal traffic 10.10.0.0/16 coming into asr1004 on int 1 with ip address 10.3.3.3
assume vpn with ip address 10.10.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.10.2.1
assume taget network is 10.200.200.0/24
I want internal traffic (10.10.0.0/16) go to target (10.200.200.0/24) to be redirect to10.10.2.2 (vpn) first, so I add "ip route 10.200.200.0/24 10.10.2.2" on asr1004.
Than, I want vpn (10.10.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
such as:
interface TenGigabitEthernet0/0/0
description bgp to get default
ip address 10.100.100.100 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
interface TenGigabitEthernet0/1/0
description get internaltraffic
ip address 10.3.3.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
interface GigabitEthernet0/2/1
description vpn
ip address 10.10.2.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
media-type rj45
negotiation auto
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
ip route 10.200.200.0/24 10.10.2.2
Could you please advise if it is correct? -
Unable to login Windows Server 2012 after making local policy changes
Experts, we have modified the local policy setting on the windows server 2012 and badly it was domain controller now none of the users are able to login to the server. After entering the user name and password it will launch till welcome screen then it errors
out saying user name or password incorrect. below are the steps which we followed
1. Policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options \Network security: Configure encryption types allowed for Kerberos values change from Not Configured to DES_CBC_MD5
2. changed user attribute msDS-SupprtdEncryptionTypes to 2 , this account we were used for kerberos authentication.
3. Logged off from the server and then server doesn't allow any user to login.
regards,
JakkHave you tried connecting to the server from a 2nd DC? Have you tried installing the RSAT tools on a domain member server and modify the offending policy ?
last choice would be restart the DC into safe mode. -
Ip local policy - DMVPN head-end router
hey guys,
On my DMVPN head-end router (3845 - running 151-4.M2) , I'm learning a default route from the internal core that I want the remote spoke to learn via EIGRP (internet access is via tunnel and thru head-end f/w's). And to avoid having a static route configured for the remote public IP pointing to the internet router, I've tried using a local policy to set the next hop for all VPN traffic from the router to be the internet router. However, when I remove the static to the remote, I lose the remote peer and it seems the local policy is not engaged. Any help would be appreciated..
interface Loopback0
ip address 10.103.255.1 255.255.255.255
interface Tunnel10
bandwidth 10000
ip address 10.103.254.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication xxx
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile DMVPN-PROFILE
interface GigabitEthernet0/0
description Routed link to Core
ip address 10.100.160.105 255.255.255.252
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
description Link to External segment
ip address 1.1.1.4 255.255.255.0
duplex auto
speed auto
media-type rj45
router eigrp 1
network 10.100.160.104 0.0.0.3
network 10.103.254.0 0.0.0.255
network 10.103.255.1 0.0.0.0
passive-interface default
no passive-interface Tunnel10
no passive-interface GigabitEthernet0/0
eigrp router-id 10.103.255.1
ip access-list extended vpn-traffic
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
route-map vpn-default permit 10
description Default route to Internet for encrypted traffic
match ip address vpn-traffic
set ip next-hop 1.1.1.2
ip local policy route-map vpn-defaultDave,
I think let's do the reasonable thing here and separate termination and tunneled traffic into VRFs (VRF-lite).
You can put gig0/1 into one VRF and leave everything else in global (remember to add "tunnel vrf ..." on tunnel interface.
Result - separation of overlay and transport - you can have two default routes, one for connectivity to spokes, one for traffic to be passed over tunnel.
Marcin -
Windows Local Policy - which settings get uploaded?
A quick question on expected behaviour when configuring local policies - does ZCM capture all settings from the gpedit.msc on the machine being captured or is it only the changes?
e.g. if the machine being used has UAC enabled in its local policy store and I use that machine to configure a completely different setting e.g. Windows Updates, when uploading to the server will the uploaded bundle include all the defaults from the machine (i.e. the UAC setting etc)?gshaw0 wrote:
>
> A quick question on expected behaviour when configuring local
> policies - does ZCM capture all settings from the gpedit.msc on the
> machine being captured or is it only the changes?
>
> e.g. if the machine being used has UAC enabled in its local policy
> store and I use that machine to configure a completely different
> setting e.g. Windows Updates, when uploading to the server will the
> uploaded bundle include all the defaults from the machine (i.e. the
> UAC setting etc)?
I would say it does not - but I could be wrong. I believe I've done a
hold set of different local ploicies from the same computer so if it
was to import all the settings they would all be the same policy...
Niels
A true red devil... -
Find workstations with specific group in local administrators group
Hello,
Is there a simple script that will search the workstations in a domain looking for the existence of a specific domain group nested in the local administrators group ? Our desktop group can up with the idea of using domain groups nested in the local
admin group to grant administrator privileges to specific computers. They can list the members of the domain group easily but they have no easy way to know on what workstations they have added the group to. Output I am looking for is simply a list
of computers that have the specific group in the administrators group. Any advice would be appreciated.
BobbyThisis donethrough Group Policy. It is a special aspect of gP to set and mamintain groups on local machines. You can protect a machine fromchanges and allow users to be added and removed.
If you are just look ing to list tehcontents o a local group then get the module "Local Administration" in the Repository. It has all of the tools you need.
You can also use WMI to retrieve Group memmbership.
¯\_(ツ)_/¯ -
"Unable to update local resource group" error
Hello,
I'm having a problem updating one of my local resource groups in RD Gateway Manager.
We're on 2008 R2 SP1, and have a gateway in between us and another company. When a user needs to access their computer in the other company, we add the machine to the local group, and the account the AD RAP group, it works fine.
However, every couple of weeks, it will not allow me to update the local resource group for computers. I receive the error "WMI Failure: Unable to update local resource group" ..and apparently google cannot find another instance of this error happening -
no results at all - very odd. So the normal fix is to just recreate the RAP.xml file, then add the machines in again, but this is not a good enough fix long term, plus it misses the machines that are switch off when i recreate.
Also - this will be logged in eventvwr TerminalServices-Gateway
"The resource group "MY GROUP NAME" could not be updated. The following error occurred: "23106". To resolve this issue, ensure that you have configured resource group settings correctly and set the correct value and permissions for the RAP.xml file and the
RAPStore registry key."
Google also cannot find anything for that error, OR that 23106 error code - I cannot get results no matter what I do. It cannot be permissions as I've checked them, and it works for a bit. I've ran the WMI diagnostics, and they're fine, no different to any
other server in the environment.
I've also checked these forums and there is nothing on there. Does anyone know the relevance of that error code, or where I can check it out?
Cheers,
JonI can confirm ..MPIN..'s solution fixes it.
I had the exact same problem; I'd recently added a new server, and stopped the old server before decomissioning. Adding the new serer to the TS RAP policy server didn't work and generated the OP's error.
I removed the old server name (which was not pingable) and the group COULD be updated.
Really crappy error handling - this is a defect and should be fixed. A proper error would say "Not all machines in this group are valid, please remove the invalid entries" OR simply allow 'ok' without double checking (after all, the names are checked
when adding).
So often we accept shoddy software by proposing work arounds as 'the fix'. The actual fix is to fix the software to be more descriptive and/or handle errors more gracefully.
== John == -
Need to query on all enabled computer accounts that have a particular user account present in the local Administrators group.
Ldap query is best, because not all our machines have SCCM client
Thanks for any help you can provide. LisaYa, I have 41800+ computer accounts in my directory. I think that option is not feasible :) Thanks for your reply.
I can use SCCM to do this too, but only for those that the client is running on and which are online. Thanks again.
Hope is not all lost; a scripting solution is still possible. The difference is instead of running a central script to pull info from all computers, you let the computers report back to you with the info.
If I were you, I'd do the following:
1) Create a file share and adjust the permissions so that "Domain Computers" have "Modify" Permissions.
2) Create a script similar to the 2nd link I posted above, with a bit of adjustment: at the end of the script, write the information to the file share created in (1), and name the file
ComputerName.txt
3) Use Group Policy Preference Scheduled Task to deploy the script, and make sure it only runs once.
4) Happily wait for the results to come back :)
The main benefit of this approach is you're not restricted by the computer connectivity at the moment you run the script. This is especially true if you have many mobile computers in your environment. Just wait for a reasonable time (they all need
to come back to the mother ship once a while don't they?) and the results will show up in the file share you created.
Cheers. -
Can not add Domain User to Local Admin Group Win8.1
Hello,
I am trying to add a domain user to the local admin account on a Win8.1 Enterprise computer. When I click the check name button it asks me to enter network credentials even though I am signed in to the computer with a domain admin account. When I try to
type in any of my domain admin accounts it says "The Username or Password is incorrect". Even though I used that same account to login with. I can successfully ping all 3 of my DCs from the computer and have tried putting my second DC as the primary
DNS and my third DC as the primary DC and same problem. I have checked for Active Directory errors on the DC and everything says it is running fine on the DC in server manager. I have this problem on multiple computers. Some of the computers it will work on
but 90% of them it won't allow me to add the local user to the local admin group.
DCs are running Win Server 2008 R2 Enterprise.
Any help would be greatly appreciated.
Thank YouI would suggest you to use Restricted Group(via GPO) to add domain users/group to a local admins group
1)Create a new group in Active Driectory
Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
2.
Create a new GPO
Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
3.
Edit the newly created GPO
Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups
4.
Add your new Active Directory group to the Restricted Group
Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"
5.
Add the Restricted Group to the local administrator group
In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"
6.
Wait for GPO updates to apply to the workstations
Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation,
run "gpupdate /force" in a command window on that workstation.
7.
Add a user or group of users to the Active Directory Restricted Group
When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management
Console. -
Adding users in Local Administrators Group using GP Restricted Group
Hi Experts.
I have approx 200 servers. There are user1, user2 and user3 which I have added in
Local Administrators Group using GP Restricted Group in all 200 servers. This works fine. In Add Group option I added "Administrator" and Added user1, user2 and user3 in "Members of this Group". Now all 3 users are reflected as a Local
Administrators member.
Now there is a need that user 4 should be in Local Administrators Group using GP Restricted Group for certain servers only. Lets say 50.
In Add Group option I added "Administrator" and Added user4 in "Members of this Group". BUT it doesn't work.
Any idea?
Regards Suman B. SinghHi,
How is it going? I agree with Martin. To do this, we can configure the setting in two different GPOs. For instance, in GPO1, we add user1, user2, and user3 to the local admin group; in GPO2, we add user1, user2, user3, and user4 to the local admin group;
and then we can use Security Filtering to apply the specific GPOs to specific computers.
Regarding security filtering, the following article can be referred to for more information.
Security filtering using GPMC
https://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
Filter Using Security Groups
https://technet.microsoft.com/en-us/library/cc752992.aspx
Besides, in addition to Restricted Groups, we can also use Group Policy Preferences Local Users and Groups to do this, in which way we can configure two Local Group items in one GPO and utilize Item-Level Targeting to apply the specific items to specific
computers.
Regarding GPP Local Users and Groups, the following article can be referred to for more information.
Configure a Local Group Item
https://technet.microsoft.com/en-us/library/cc732525.aspx
How to use Group Policy Preferences to Secure Local Administrator Groups
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
Regarding Item-Level Targeting, the following article can be referred to for more information.
Preference Item-Level Targeting
https://msdn.microsoft.com/en-us/library/cc733022.aspx
Best regards,
Frank Shen -
SCCM 2012 - How to add domain id to local administrator group of all clients
SCCM 2012 - How to add domain id to local administrator group of all clients
Hi,
i have a domain id sccmadmin which is a part of domain admins group too.
Need to add this ID to the local administrators group of all clients. How do I do this? Please help!Hi ,
you need to choose the second option .
First option will remove all the domains users from the local administrator group available in all the PC'S .Then local administrator group will only have the users updated on the members list present in group policy.
Note : Local admins accounts on the local administrators groups will not be removed.
Second option will add the newly created group to the local administrator group in all the PC'S and it will not remove the existing members in the local administrators group.
Step 1 : Just try to create one new group for SCCM management .
Step 2 : Then add the SCCM account to that group.
Step 3 : Then please create a new group policy on that just choose the second option.On that option just add the newly created group to be an member of administrator group in all the PC'S
Why i have asked you to create a new group ?
Because in second option , we don't have a option to add a individual user .
Once you have created a group policy it will like below snap.
As an additional i will tell how to find the newly created group policy is applying to computer objects or not ans also i will tell you how to force update the group policy
1.gpresult /r ----> To find the which group policy is applying on user and computer object .
2.rsop.msc ----> There you can able to find the change has been applied or not .
3.gpupdate /force -----> Forcefully updating the group policy in a client machine
4.In gpmc.msc there is one option called group policy results .That option will be used for centralized management to find the policies that are applied to a user and computer account.
5.Just check the event viewer in all the PC'S for group policy related events.
Most importantly you need to make sure all the computer accounts are placed in an ou ,where the newly created group policy is applying and also make sure that OU doesn't contain any inheritance block.
Please feel free to reply me if you have any queries.
Thanks & Regards S.Nithyanandham
Maybe you are looking for
-
Error msg: apple mobile device failed to start.
I just bought an iTouch and I've been trying to install iTunes for the past 2 days. I'm using Windows Vista and I am installing the 64-bit version. I've attempted all of the fixes I've found on Windows, Google, etc. I am the administrator but nothing
-
We have Dreamweaver Version 8. Is it possible to set up a weblog within our Dreamweaver based website? We would like have a link to the blog placed next to the other links already set up for our site. Thanks for the information
-
How to configure SOAMANGER in SAP
Hi Friends , I am want to call external services from SAP. To achieve this I have to configure using transaction SOAMANAGER. When I run this transaction I am getting an error message . This page can't be displayed Make sure the web address http://p
-
How to update from OS X 10.2.8 to OS X 10.5.6?
Hello, I have an older Power Mac G4 Quicksilver 933MHz - 768MB - 60GB, running OS X 10.2.8. I just perchased Leopard OS X 10.5.6 from MacMall to update the G4. Is there anything special I have to do to install the new OS X 10.5.6? Regards, Greg
-
Hiya xx Everytime I go on my appworld It says ' blackberry identidy update is need , would u like to install it now and I click yes then its comes up a load bar and goes until its at 100 then it comes up ' blackberry identity installation failed plea