GPOs, LGPOs, Users/Groups - Security =)

By winthrop.polk ·
I am trying to figure out how to manage users and groups as well as security settings. Specifically, how I can define my security settings, my users, my groups, my passwords, and which users belong to which groups, but to do it in an equivalently easy way as running a batch file since I have to do it on hundreds of computers without a domain controller.

1. I have identified the following interfaces that seem to deal with users and groups: User accounts (control panel), Computer Management - local users and groups (admin tools in control panel), and I have heard rumors of a cmd line interface for doing this. What is the difference between these interfaces? Which should I use? Why does group policy not have a section for user/group management? Why are there so many ineffective interfaces for dealing with the same subject?

2. Is there a way to include the computer management snap in, the group policy snapin and possibly others in a custom console such that I can edit all the settings in the console, save the console without implementing these changes on this computer, port the custom console to all the various computers and implement the settings previously defined? Ie if I make a change in the custom console, how do I ensure it is not going to go into effect on this computer? I don't want it to. I just want to create an LGPO and my users and groups in a sort of planning LGPO, but not to implement it until it is ported to another computer.

3. Why does the "security templates" snap-in under "account policies" have a section called "Kerberos Policy" while the "local computer policy" snap in does not? Should it not be identical? The exact same situation seems to be present in the sections titled "event log", "system services", and more. I suppose that each of these snap-ins operates on different parts of the same data set, overlapping at times. Is this accurate? If so, the question 2 above becomes very important.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
Thread display: Collapse - | Expand +

All Answers

Collapse -

Why is there no DC??

by tmalo627 In reply to GPOs, LGPOs, Users/Groups ...

That would be the easiest way of accomplishing what you want. That being said, yes you can create a custom console. Start > Run > "mmc". Once there you can add whatever snap-ins you want through the File menu. There are certain snap-ins that can stand alone, and snap-ins that are dependent of others. Once you have your console configured you can save it to a flash drive to open on whichever computer you choose. This will only carry the shell of the console though. Any user specific settings will still have to be done at each computer, because they all maintain a separate SAM (Security Account Manager). That is the major benefit of having a domain controller for your situation. There is one database that controls all the users on all the computers from one spot rather than over 100.

Collapse -

Let me ask this.

by winthrop.polk In reply to Why is there no DC??

If we had a domain controller, we could just define a group policy (only talking 5 users for 300 computers, so I don't think I'll need more than one) and define my users/groups, then roll these changes out to each device automatically; right? I would not have to manually assign each setting to each device over and over again. There has to be someway of doing this without the domain.

I have heard that I can define new groups, users and some security settings via cmd prompt. If this is the case, I should be able to impelement via a batch file.

You identified the problem I was afreaid of, thanks. Ideally, what I wanted to do was to open the MMC, define my settings without applying them to this PC, then to use that console saved on a thumb drive to load the settings on to each device. But, as you sad, as soon as I open the console on another computer, the settings will take the values already defined on that computer.

"There are certain snap-ins that can stand alone, and snap-ins that are dependent of others"
This is another problem I am having. I need to know precisely which snapins depend on others. For example, the local users and groups snap in is also present in computer management. I guess I could use a tree or heirachy showing how they are related. I need to make sure the console I design has all possible settings and all needed snap ins (though I realize you can add to decrete sections such as the admin templates), but I also want to make sure that there is no repetivite information. I also want to make the assumption (for now) that all the settings I will be assigning are only those settings present during a fresh winXP install. Currently, the only way I personnally can be sure that I have at least addressed all possible settings is by adding all possible snapins; but we don't want to repeat information.

Collapse -

humm well first off

by CG IT In reply to Let me ask this.

with 300 users in an Active Directory domain environment, think of all 300 trying to log on to the domain at 8:00am at the same time.

even if only half do, that's still quite a demand on the DC. While 1 DC might work, there's always the possibility that that one would fail and then your scrambling. With an additional DC, users would still be able to gain access to resources and log in.

The other thing to think on is that each of those 300 users must have a CAL. their not cheap even with volume discount.

In a domain environment, you control user and computer settings via group policy and then you can use OUs [containers] to group users or computers for the purposes of apply different settings for different groups.

With a workgroup environment, you will have to do this individually per computer or user. You can create security templates and then export them, remote in and apply them so you don't make a trip to each one, but either way, workgroup or domain requires lots of planning and testing.

I've yet to find complete documentation on what each setting does and their dependencies. That's some of the reason the RSOP tool was created. That tool allows you to see the final results of Group Policy as applied to a user or computer.

Collapse -

hmm well.. CORRECTIONS!!

by winthrop.polk In reply to humm well first off

I think you read wrong. The network has 300 computers and less than 10 users. When we do implement a domain, it will be hierarchical.

Whats a CAL by the way?

"With a workgroup environment, you will have to do this individually per computer or user. You can create security templates and then export them, remote in and apply them so you don't make a trip to each one, but either way, workgroup or domain requires lots of planning and testing."

Q1: If I create a new security template and define all the settings, I want a confirmation that nothing will be implemented on this development computer. Is it correct that nothing will be implemented?

Q2: I am aware of the ability to do this with security templates, however there are additional settings and such that need to be implemented that are not in the security templates. Examples include users and groups, as well as administrative templates. There is a way to implement LGPOs, but I have yet to find a way (similar to the security templates) to be able to design the LGPO in lab without having the settings go into effect and to then port it to all the various devices where they will go into effect.

Collapse -

300 computers and 10 users? right.....

by CG IT In reply to hmm well.. CORRECTIONS!!

lots of capital [$$] sitting around doing nothing....

hierachical domain? humm well if this is a Windows shop meaning all Windows operating system including domains, then it's Active Directory. If you know Active Directory, then you would know what I'm talking about including what a CAL is and why one needs em...

for Q2 try the hisec template.... Micrsoft does have predefined security templates which you can customize....

For Q2 at the end... Unless it's Group Policy via Active Directory and you can use the RSOP tool, the only way to know if the security settings work is to apply them.

Collapse -

Another thought...

by tmalo627 In reply to 300 computers and 10 user ...

If there are only 10 users that need to access the DC at any given time, you install the server operating system in "Per User/Per Device" mode. This would save quite a bit of money on CAL's (Client Access License). In this case, though, you have to be aware that if all the CAL's in are in use and there is another connection attempted to the server, it will be blocked. Another user must disconnect first. This could be a good way to go, though, depending on exactly how your users use the computers.

Back to Networks Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums