Information Technology Reference
In-Depth Information
You can learn more about WMI and WMI filtering by searching on the
Microsoft TechNet Web site at http://technet2.microsoft.com .
Activity 7-9: Using GPO Security Filtering
Time Required: 20 minutes
Objective: Change the default security filtering on a GPO and examine the results.
Description: You're unsure how GPO security filtering works, so you decide to test some settings
with a test OU and test GPO.
1. Log on to your server as Administrator, if necessary.
2. Open GPMC. Click to expand the Group Policy Objects folder, and then click TestOUGPO .
In the right pane, click the Scope tab.
3. In the Security Filtering dialog box in the right pane, click the Add button. Type Test User1 ,
click Check Names , and then click OK .
4. In the Name list box, click Authenticated Users and click the Remove button. Click OK to
confirm that you want to remove the delegation privilege. TestUser1 is now the only secu-
rity principal with Read and Apply Group Policy permissions for TestOUGPO.
5. Click the Settings tab, and then click the show all link. The Prohibit access to the Control
Panel policy should be set to Enabled.
6. Link TestOUGPO to TestOU .
7. On your Vista computer, log on to the domain as testuser1 .
8. Check the Start menu to see whether the link to Control Panel is there. (It should not be.)
Right-click the desktop and click Personalize . You should see a message that the operation
was canceled because of restrictions on the computer.
9. Log off and log on as testuser2 . You should see the link to Control Panel in the Start menu.
10. On your server, change the security filtering for TestOUGPO to add Authenticated Users
back and remove Test User1 .
11. With TestOUGPO selected in the left pane of GPMC, click the Delegation tab in the right
pane, and then click the Advanced button.
12. In the Advanced Security Settings dialog box for TestOUGPO, click Add . Type Test User1 ,
click Check Names , and then click OK .
13. If necessary, click Test User1 in the list box at the top, click the Read check box in the Deny
column, and then click OK . Click Yes to confirm that you want to set a Deny permission.
The current permissions on the GPO allow Authenticated Users members, except TestUser1,
to access the GPO.
14. On your Vista computer, you should still be logged on as testuser2. Open a command
prompt window, type gpupdate , and press Enter to update group policies.
15. After the policy update is finished, check the Start menu to verify that Control Panel is no
longer available to testuser2.
16. Log off your Vista computer and log on as testuser1 . Verify that Control Panel is available
to testuser1.
17. Log off the Vista computer.
18. On your server, remove Test User1 from TestOUGPO's DACL, and then unlink TestOUGPO
from TestOU . Close any open windows, and stay logged on for the next activity.
7
Loopback Policy Processing By default, users are affected by policies in the User
Configuration node, and computers are affected by policies in the Computer Configuration node.
 
Search WWH ::




Custom Search