Professional Documents
Culture Documents
com
UltimateWindowsSecurity.com
UltimateWindowsSecurity.com
Active
Directory
Applications
Servers
UltimateWindowsSecurity.com
Group Policy
Active
Directory
Applications
Servers
UltimateWindowsSecurity.com
organizational
units
Audit policy:
- logon/logoff enabled
- all others disabled
Acme
HR
Audit policy:
- use user rights enabled
- all others undefined
Benefits
Audit policy:
- use of user rights disabled
- object access enabled
- all others undefined
Recruiting
Audit policy:
- logon/logoff enabled
- object access enabled
- all others disabled
RecruitSvr1
UltimateWindowsSecurity.com
Controlling Inheritance
with Enforced Policies
Two GPOs at root of domain
No Override & Enforced mean
the same thing
GPO1 blocks but Enforced/No
override GPO2 punches
through to the server
GPO2
GPO1
(no override)
Acme
HR
(block policy
inheritance)
Recruiting
Benefits
RecruitSvr1
Computer
Startup Applying Computer
Configuration
Local Computers
GPO
Local Computers
GPO
GPOs
linked to computers
GPOs
linked to computers
GPOs
linked to computers
GPOs
linked to users
GPOs
linked to computers
GPOs
linked to users
Site
Domain
Organizational
Units
Site
Domain
Organizational
Units
UltimateWindowsSecurity.com
Computer
Configuration
HumanResources OU
Finance OU
GPO
User
Configuration
GPO
Computer
Configuration
User
Configuration
Computer
Configuration
GPO
User
Configuration
Computer
account
Not
applied
Computer
Configuration
Bobs user
account
Bob logs on
at a computer
in HR
Controlling Inheritance
Domains are the boundary
GPOs on parent domains do not flow to child
domains
Container level option
Block
UltimateWindowsSecurity.com
Verifying results
Group Policy Results Wizard
UltimateWindowsSecurity.com
Bottom Line
Group Policy
Resides in AD but is not a control for AD
Control for
Workstations
Servers