GPO | Savage Nomads

Most of these tips are very basic. But we all need to start somewhere.

The initial settings that you should make to get Active Directory secure for your network before you dive into setting up the entire structure.

1.Create an Administrative Account for Yourself
2.Set a Complex and Long Password for the Administrator Account

Top 10 Security Settings to make directly after Installing Active Directory

Popularity: 1% [?]

Tags: active directory, AD, admin, GPO, IT, microsoft, network, security, tags, windows, word, work

If you haven’t already seen it, check out my article in this month’s TechNet Magazine on "Optimizing Group Policy Performance". The article goes into fair bit of detail about things you can do (or not do) to ensure that GP performance is good on your Windows systems. But one thing I didn’t get into is how some specific Client Side Extension (CSE) behaviors can cause performance slowdowns. I received an email from someone at Microsoft asking about this yesterday. His specific question was around the performance impact of using GP to set file system or registry security. GP today has that capability under Computer Configuration/Windows Settings/Security Settings/File System (or Registry). But of course, if you use this feature against large numbers of files or folders (or reg keys), its going to take a while to modify ACLs on those objects, just as it would if you are doing it through Explorer. But his question had to do with the impact of this on system performance, if GP processed these ACL changes every time processing ran. The answer, of course, is that GP processing settings only if one of several situations occur. First, if *something* changes in the GP environment, a client will process those changes during the next processing cycle (I talk about what those changes could be in the article).

The other scenario where security policy would process every time GP processes is if an administrator explicitly told it to do so by setting the per-computer policy at Computer Configuration\Administrative Templates\System\Group Policy\Security Policy Processing\Process even if the Group Policy Objects have not changed. Now of course, enabling this setting can have a very obvious impact on system performance if what you’re doing in security policy are expensive operations like file system re-ACLing. But if not, the advantage of using this setting is that you ensure that, every 90 minutes or so, any security policy you have defined will be re-applied, just in case a pesky user figured out a way to undo them (which they should not if they are not administator on their systems, right????). But in general, I would leave this setting alone.

The 3rd scenario where security policy would process is by virtue of its own built-in behavior. That is, the Security CSE will process security policy every 16 hours by default, regardless of what else is happening. This is a failsafe that MS decided to put into security policy so that security policy will get re-applied if the environment is reasonably static. You can actually modify this interval to be something other than 16 hours via a registry tweak (I actually created a custom ADMX file for this that will be on the CD in the upcoming Windows Server 2008 Resource Kit book, which I wrote the GP chapter for). The registry tweak info can be found at http://support.microsoft.com/kb/277543/en-us.

Tags:

Group Policy, Security Policy, TechNet Magazine

Group Policy Performance and Security Policy
gpoguy
Thu, 17 Jan 2008 22:15:57 GMT

Popularity: 4% [?]

Tags: GPO, group policy, Security Policy, windows

To take over the control the remote XP computer, click the Take Control on the top right. If you can’t take the control, make sure Allow helpers to remotely control the computer under Offer Remote Assistance Setting is enabled. By default, Offer Remote Assistance Settings is disabled. To do enable it, open Group Policy by running gpedit.msc. go to Local Computer Policy\Computer Configuration\Administrative Templates\System\Remote Assistance. The user who will be giving assistance must be a member of the Local Administrators Group on the receiving machine or you need to added as a Helper in the Offer Remote Assistance Group Policy Setting. To add User and Groups to Group Policy: Go to Offer Remote Assistance Group Policy, and in the Helpers area, click Show. Click Add and then enter the Domain\user account

In a case you want to remote access a Windows XP professional workstation and the computer Remote Desktop is not enabled, or no one over there to help you to enable it, you may have an option to enable Remote Desktop remotely by using regedit.

To enabling Remote Desktop using regedit, follow these steps:

Run REGEDIT from Start>Run
Click on File, then select Connect Network Registry
Type the remote computer IP or host name in the Enter the object name to select and the click OK.

4. If you don’t have permission to access the remote computer, the logon screen will show up. Type the username and password for the remote computer. Then click OK.

5. Now, the remote computer is listed in the Registry Editor.

6. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server, in the right panel, select fDenyTSConnection (REG_DWORD). Change the value data from 1 (Remote Desktop disabled) to 0 (Remote Desktop enabled).

7. Close the regedit.

Popularity: 7% [?]

Tags: GPO, RDP, remote desktop, windows, XP

Top 10 Security Settings to make directly after Installing Active Directory

Related posts

Group Policy Performance and Security Policy

Related posts

Twitter Updates for 2008-01-07

Related posts

Twitter Updates for 2007-12-19

Related posts

XP Remote Desktop (How to enable and GPO setup)

Related posts

Navigation

IM Online

Most popular post

Recent Comments

Blogroll

Friends

LinkWorth Partners

Right Links

Tech Links

WordPress Links

Sponsered Links

Flickr Photos

Meta Something