Question

Locked

MMC Snap-ins

By winthrop.polk ·
I am trying to understand the standard winXP MMC snap-ins, specifically understanding where and why they have overlap and how to use each in combination. I think I have a fairly good understanding of how they can be used individually, but as a group of snapins I am not sure.

e.g.
Computer management snap in has a section called local users and groups and the snap in "local users and groups" is identical.

e.g.
Security templates snapin has similar settings as the group policy snap in.

Here is the situation. We have 300 computers operting without a domain, without active directory. They have never been properly configured for security. Now I have to apply security settings, LGPOs, define my groups and users, and other areas to each of these devices individually. I need a way to sit here in the office and design these settings, then apply them in the field in a semi automated way such as a batch file. I cannot manually assign all these settings to each device over and over again in the field.

So, what snap-ins do I need?

Explain the overlap of settings.

Explain how I can define my settings in a lab, then roll them out in a semi automated way to each device.

This conversation is currently closed to new comments.

13 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Some more things to learn

by shasca In reply to MMC Snap-ins

It's hard for anyone to sit here and define your network security for you. that will have to come from within the organization. ]

I included here the group policy console, a best GPO practices document, and a GP troubleshooting utility. Best scenario would be to apply and try on a test domain before distribution to the Comp.LAN.


http://www.microsoft.com/DownLoads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en


http://www.windowsnetworking.com/articles_tutorials/Best-Practices-Designing-Group-Policy.html


http://www.microsoft.com/downloads/details.aspx?FamilyId=47F11B02-8EE4-450B-BF13-880B91BA4566&displaylang=en

Collapse -

Thanks but

by winthrop.polk In reply to Some more things to learn

I have already read all of that.

Installing domain controllers is not an option in the near term.

I don't need anyone to design the security settings, my group, users, etc for me. I pretty much need to know why snap-ins have overlapping settings, how do I get a complete and concise MMC console with all the security settings and user/group sections without repeating settings or an explaination of why settings are repeated and how/when to use each, and basic methodology of implementing LGPOs in a semi-automated fassion and how to design them in a lab environment.

Collapse -

Local users and groups

by shasca In reply to Thanks but

I managed all users and objects with AD users and computers. But then we do have active directory installed across the domain.

My reading of your post said that you were implementing AD , and wanted to know the best way to implement security, and distribute apps etc. Gues I'm confused as to what task is at hand in your questioning.

Collapse -

I'll try again

by winthrop.polk In reply to Local users and groups

We have a network with 300 computers at a power plant. There are NO domain controllers and NO active directory. Security has never been a consideration in the 50 years of operation. The goverment is now requiring that we meet NERC compliance which is just basic security. I have been assigned the task of asset hardening, specifically ports, programs and services. However, I think it is pointless to harden at that level without first setting up my users, groups and basic security settings. We need a record of all setting values. We are not allowed to purchase new equipment this year. We have to make sure each of these 300 computers is configured with the proper security, users, groups, etc. i.e. implement security for the first time.

I cannot simply go out to the field and spend 10 hours on each computer manually setting all the security options. We have to have a smi-automated way to do this. I need to sit here in the lab and design the settings, then go to each device in the field and load these previously designed settings and user management. I realize this is an administrative nightmare, but it has to be done.

To summarize, I am trying to understand:

1. How to create some sort of file that I can put on a thumb drive and load on each computer in the field that will automatically implement my users, groups, LGPOs and any other security settings.
-My current thinking is to create a custom console in the MMC, to assign all my settings in there in a lab environment without applying these settings to the development computer, save it to a thumbdrive, take it to the field and apply all the settings.
=To do this though, I need to know why different standard snap ins have the same sections and/or settings and to understand why/how to use each

Collapse -

registry

by shasca In reply to I'll try again

We have an AD network. But we have two OU's with different GPO's. We join the Vista PC's into the OU that has no policy applied sinec it allows us access to customize each PC when we deliver them to ur remote locations. We discovered the hard way that the windows firewall blocke ultrvnc in the unregulated OU.(The exceptions are conf. in GP on the other OU) So what I did was export the firewall exceptions from the registry then import to the image of the new PC's.

Case in point is that if you can come up with a distribution method you can export, and reimport the reg sec. settings to these standalones PC's within your org. If you had network management system like Kace's KBOX, SMS etc.life would be alot easier for you. AD would be a huge help in this endeavor as well.

Collapse -

Windows Security Is Confusing

by winthrop.polk In reply to registry

I am pretty sure I can find an automated way to implement this using a batch file since a lot of stuff is accessible via the cmd prompt. However, I will need a clear and auditable listing that shows all the possible security features (including my local users and groups)so that I ensure that I analyze all of them and determine the value. I am kind of at a stuck point though. I have played with a number of snap ins, primarily Computer Management, Local computer Policy (LGPO), Local Users and Groups, Security Templates, and Security Configuration and Analysis. I am confused because settings and sections are repeated between these various snapins. Some sections are not repeated though, where I would have thought they should have been (such as the Kerberos policy is listed in security templates but not in Local Computer Policy/Windows settings/security settings section where I thought it should be).

So that's the first problem: If I want a console with all possible user management and security settings accessible, which snap ins do I use to ensure there is are repeats. Why are there repeats in the first place?

The second problem is: Once I determine the value of all possible settings, define my groups and user, etc, how do I prepare an implementation file in the lab without applying the settings to this development computer.

Collapse -

Can you expand on this??

by shasca In reply to Windows Security Is Conf ...

"The second problem is: Once I determine the value of all possible settings, define my groups and user, etc, how do I prepare an implementation file in the lab without applying the settings to this development computer."

Are you saying " If I apply these settings in a test env., how do I apply them to the live systems"???

Collapse -

Yes and No

by winthrop.polk In reply to Windows Security Is Conf ...

Yes, I need to know how to apply these settings in the field in a semi automated way. Settings applied must include creating my users, groups, and all possible security settings. But, this is only part of the question. Since these devices are in the field and are being used to run a power plant, I cannot just adhoc the security for each device, nor can spend 10 hours on each device manually assigning the settings. So, I need to create an implementation method that will allow for quick implementation of preplanned settings, groups, and users. To do this, I am determining the settings in the office (currently just copying each setting to a word document, researching the implications of each, and assigning the value in the word document).

So, Now I need to take this 30 page word document and make sure I have accounted for all possible settings ON A STANDARD WINXP FRESH INSTALL (I realize settings and sections can be added). I am confused by this because various snapins have the same sections and I don't know how to get a complete, concise and non-repetative view of the windows security and user configurations.

The part of cunfusion I think is that, In addition to determining how to implement this in the field, I also need to make sure that I do not apply these settings on this development computer. I pretty much have to design the security for these device without being near the devices, then to implement the security that is preplanned in a fast way.

Collapse -

You'll want to work with

by IC-IT In reply to I'll try again

Admin templates. Here is a nice article on managing Local Group policies.

http://technet.microsoft.com/en-us/library/cc766291(WS.10).aspx

You may also want to do a quick read on gpedit.msc and on creating and importing admin templates.

Collapse -

Nope

by winthrop.polk In reply to You'll want to work with

Administrative templates are part of, so are LGPOs. Part of the LGPOs is user rights assignement. I do not want to use any of the default groups. The last two sentences present a need for the local groups and users snap in as well.

I looked at that article; it presents a new MLGPO object in Vista, but I am mainly dealing with XP.

Back to Software Forum
13 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums