Teldata.Wordpress.com | ParagonHost.com

December 7, 2006

Using Group Policy with User Level Filtering and AD (GP SnapIn)

Filed under: Microsoft, Security Focus — paragonhost @ 11:17 pm

When using a GP Snap IN (GroupPolicy / SnapIn)

- If you install the Group Policy Snap-In be sure to enable the following in order for “any” group policy to take effect.

Launch Gruop Policy Snap In via Administrative Tools or via Active Directory Users and Computers

- Right click on Default Domain Policy [customers-domain]

- Highlight view , click DC Options

- Be sure the radio button ” The one used by Active Directory Snap-Ins ” is checked ( 2nd one in the middle of the three options )

- Build your GPO as noted from ScanSafe and add local IP address exceptions

*** On the SBS box as well as the workstations

At the command line:

gpupdate /force

This will force the Group Policy down to the active server and or workstation …

spencer recovery

spencerrecovery

scan safe

scansafe

scandefense

scan defense

group policy

gpupdate

windows 2003 sbs

proxycfg

As of 11/2006

SBS 2003 Server

Update:

Logging off the domain and Logging back on to the domain will also “Refresh” the group policy….

**** As a last step:

Be sure to “Secure the proxy settings” in order to “disable” AD users from changing there Network Proxy Settings

select: User Configuration

select: Administrative Templates

select: Windows Components

select: Internet Exlporer

via the right side of the window panel

scroll down to “Disable changing proxy setting” – Right Click on it

select: Properties

select: Enabled

After a log off and log on OR from the command line you gpupdate /force

The proxy settings will be “greyed” out…

Dws

***** MicroSoft Update IP Space

Here is the network ranges that Microsoft Update uses’s…

 

Add to the default domain Group Policy – Exception to the Proxy Configuration.

 

Will allow for MS updates to take place.

 

Cheers!

 

Dave Safley

 

network

gpo

group policy object

microsoft update

ip ranges

exceptions

allow table

firewall

web url filter

updates

 

For the Windows update to be able to function an exception need to be made in
Group Polocy Management Console we set up earlier this morning with the
following IPs ranges:

    * 207.46.0.0/16
    * 213.160.98.224/27

This Change will allow the Windows Update function to functon correctly


No Comments Yet »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

You must be logged in to post a comment.

Blog at WordPress.com.