Information Technology Reference
In-Depth Information
You can learn more about WMI and WMI filtering by searching on the
Microsoft TechNet Web site at
http://technet2.microsoft.com
.
Activity 7-9: Using GPO Security Filtering
Time Required:
20 minutes
Objective:
Change the default security filtering on a GPO and examine the results.
Description:
You're unsure how GPO security filtering works, so you decide to test some settings
with a test OU and test GPO.
1. Log on to your server as Administrator, if necessary.
2. Open GPMC. Click to expand the
Group Policy Objects
folder, and then click
TestOUGPO
.
In the right pane, click the
Scope
tab.
3. In the Security Filtering dialog box in the right pane, click the
Add
button. Type
Test User1
,
click
Check Names
, and then click
OK
.
4. In the Name list box, click
Authenticated Users
and click the
Remove
button. Click
OK
to
confirm that you want to remove the delegation privilege. TestUser1 is now the only secu-
rity principal with Read and Apply Group Policy permissions for TestOUGPO.
5. Click the
Settings
tab, and then click the
show all
link. The Prohibit access to the Control
Panel policy should be set to Enabled.
6. Link
TestOUGPO
to
TestOU
.
7. On your Vista computer, log on to the domain as
testuser1
.
8. Check the Start menu to see whether the link to Control Panel is there. (It should not be.)
Right-click the desktop and click
Personalize
. You should see a message that the operation
was canceled because of restrictions on the computer.
9. Log off and log on as
testuser2
. You should see the link to Control Panel in the Start menu.
10. On your server, change the security filtering for TestOUGPO to add
Authenticated Users
back and remove
Test User1
.
11. With TestOUGPO selected in the left pane of GPMC, click the
Delegation
tab in the right
pane, and then click the
Advanced
button.
12. In the Advanced Security Settings dialog box for TestOUGPO, click
Add
. Type
Test User1
,
click
Check Names
, and then click
OK
.
13. If necessary, click
Test User1
in the list box at the top, click the
Read
check box in the Deny
column, and then click
OK
. Click
Yes
to confirm that you want to set a Deny permission.
The current permissions on the GPO allow Authenticated Users members, except TestUser1,
to access the GPO.
14. On your Vista computer, you should still be logged on as testuser2. Open a command
prompt window, type
gpupdate
, and press
Enter
to update group policies.
15. After the policy update is finished, check the Start menu to verify that Control Panel is no
longer available to testuser2.
16. Log off your Vista computer and log on as
testuser1
. Verify that Control Panel is available
to testuser1.
17. Log off the Vista computer.
18. On your server, remove
Test User1
from TestOUGPO's DACL, and then unlink
TestOUGPO
from
TestOU
. Close any open windows, and stay logged on for the next activity.
7
Loopback Policy Processing
By default, users are affected by policies in the User
Configuration node, and computers are affected by policies in the Computer Configuration node.
Search WWH ::
Custom Search