WinXP SP2 GPO on Windows 2003

By red8Rain
in Microsoft (Windows)

 Share

Recommended Posts

Mentor

red8Rain

Posted
Posted

Hello,

I have updated some of my company's workstation from XP SP1 to XP SP2 and updated the Windows 2003 GPO with XP SP2 GPO.

There's a lot of new GPOs for XP but I decided to try and use the content advisor because I would like to limit what web site our operation center employees can access.

So I created a GPO using GPMC named: optctr - contentAdvisor and assigned it to the OU named: opcenter. Users are for the operation center is also located in OU opcenter. This GPO applies only to users. All workstations in the op. center are named wks-opct1, wks-opct2, and wks-optc3 for the sake of this discussion.

In it, I entered a list of websites that are allowed and deny everything else.

SIDE NOTE: This might seem harsh but the operation center is an important aspect of our company that routes emergency phone calls from hospitals. Management can't risk having them being off guard and unable to responde to an emergency in a timely manner.

The users would login and they won't be able to access websites unless it is allowed by the GPO. This works great! .... Or so we thought.

Last night, one of the operation center personel decided to log onto a workstation that is not inside the operation center. The user logged onto 'wks-payroll.' The 'optctr - contentAdvisor' GPO kicked in, the user can't access any website unless it was allowed. Then the user logged off.

This morning, the owner of 'wks-payroll' logs on and the workstation owner couldn't access any website. The GPO applied to the operation center personel applied to the owner as well.

She called me and I went to log on as myself, which had Domain Admins right, and the GPO applied to me as well. I had to manually disable the content advisor on wks-payroll.

Back at my office, I created a test OU, test user, and linked GPO 'optctr - contentAdvisor' to the test OU. Logged in as the test user, the content advisor settings kicked in, I log off as the test user, log back in as myself, and the GPO is still present ...

My question, after the length explaination, is: I want to apply the contentAdvisor GPO to the operation center personel and have it removed for users who should not be affected by the GPO such as myself or any other non-operation center personel. I hope that make senses :) .

Lastly, I tested this result on Windows XP w/ SP1, SP2 and Windows 2000 Pro. w/ SP4. All with the same results.

Thanks

Link to comment
https://www.neowin.net/forum/topic/229495-winxp-sp2-gpo-on-windows-2003/
Share on other sites
Contributor

verb`

Posted
Posted

My suggestion would be to create another GPO with no content restrictions, and apply that to your domain.

Then, block propogation of the no restriction GPO on the op center OU.

This would apply a GPO for every user in your domain that resets the settings of your op center GPO.

That should do it for you. As always, test in your environment first.

Tim

Mentor

Aaron P

Posted
Posted

Could you post your OU structure to better illustrate the issue? My recommendation would be to not use Block Inheritance because this actually increases the complexity of Group Policy deployments.

You have two options:

1. Use security filtering by group to ensure that the policy only applies to a certain group or users; or

2. Loopback policies. You apply the policy on the workstations' OU and using loopback policies it applies only to users when they log onto the specific workstations.

Mentor

red8Rain

Posted
  • Author
Posted

Our default domain policy doesn't have any content restriction and the contentAdvisor GPO doesn't apply to my IT OU, therefore, the GPO shouldn't bleed over, but in this case it does.

OU structure is attached.

Additionally, I have emailed Roberta Braggs (MCP security columnist) to see if she has an answer for me. Havent gotten a response as of yet.

post-23189-1097707776_thumb.jpg

Mentor

Aaron P

Posted
Posted (edited)

My recommendations to simplify your OU and Group Policy implementation would be as follows:

1. Only apply certain Group Policies at the domain level; e.g. password policies, baseline auditing settings, baseline SUS settings etc.

2. Place all user OU under a single OU rather than directly below the domain; e.g:

hss.local

---------->HSS Users

---------------------------->biomed

---------------------------->courier

---------------------------->ehealth

---------------------------->firstwatch

and so on.

3. Apply user Group Policies that apply to all users at the HSS Users OU, rather than at the domain level itself. Apply more specific Group Policies as you move down the OU tree.

4. Place network admin accounts and service accounts in their own OU outside of the user OUs; e.g.

hss.local

---------->Network Administration

---------------------------->Service Accounts

6. Don't apply any Group Policies on the Network Administration OU;

7. Group workstation OUs in a similar manner to user OUs and apply Group Policies

hss.local

---------->Workstations

---------------------------->Desktops

---------------------------->Laptops

8. 2. Apply workstation Group Policies that apply to all users at the Workstations OU, rather than at the domain level itself. Apply more specific Group Policies as you move down the OU tree.

9. Use the same methods for Member Servers as well:

hss.local

---------->Member Servers

---------------------------->Exchange Servers

---------------------------->SQL Servers

In this manner you don't require the use of Block Inheritance. This should enable you to apply the Group Policies to affect only the users you need to affect and not others. Again the use of Loopback policies would still need to be used to apply policies when any user logs onto special case computers.

Edited by agenta
Mentor

red8Rain

Posted
  • Author
Posted

agenta, thanks for your post.

My OUs looks something like this:

hss.local

----------> Firstwatch

-----------------> users

-----------------> groups

it almost resemble yours but regardless of how OUs are setup, the content advisor still bleed over to other users who shouldn't be effected.

From the screenshot, you see the 'opctr - cnt & scr' GPO, (used to be 'optctr - contentAdvisor' but since my co-worker added screensaver content, I renamed it) is only applied to the 'opce' OU and not everyone else. And if you look at the content advisor settings in GPMC, you will find that it only effect users, thus the 'opctr - cnt & scr' affect the:

hss.local

----------> opce

-----------------> users

When users from users.firstwatch.hss.local logins, the 'opctr - cnt & scr' GPO shouldn't not effect them but it does.

Proficient

Mattimeo

Posted
Posted

I would suggest running GPO Results and finding out where the assaulting GPO is. Odds are there is a GPO out there that does have these content advisor changes in them, just not in a place that it should be. Also, did you restart the computer when you tried to log in? I know it was placed as User Configuration, but it would be interesting to find out that if you did restart it and then logged in, the restrictions would lift. Just food for thought.

Mentor

red8Rain

Posted
  • Author
Posted

agenta, that is correct. The policy is bleeding over to those who shouldn't be effected by it.

Mattimeo, I have ran gpresult and the GPO isn't applied to me or the user logged in but the content advisor still affected us.

here's my other findings that I posted on Windows & .NET Magazine:

another odd thing I found out today.

On oct 12, 2004, I have disabled the content Advisor for MY admin Profile. So I can access neway site I want.

Today, I logged in as my test user 'ittest' and it was also able to surf neway site it wants. The contentAdvisor policy didn't even enable the IE content advisor for user 'ittest'. But if you look at the gpresult output again, the policy should of loaded. Curious, I ran gpupdate again and that didn't do much either

gpresult for user ittest: http://www.cbtr.net/downloads/gpresult_user.txt

gpresult for myself: http://www.cbtr.net/downloads/gpresult_admin.txt

Proficient

Mattimeo

Posted
Posted
Excuse my stupidity but how did you update 2003 to the SP2 GPO?

584744801[/snapback]

They are automatically updated I think when they request GPO's from a server. But there is an issue with the server editing some GPO's with new SP2 settings. Its all in KB842933.

http://www.microsoft.com/downloads/details...&displaylang=en

Enthusiast

envision

Posted
Posted

i think that you may all be looking at this from the wrong angle.

it sounds to me to be an issue specific to content advisor and could well have nothing to do with leaking GPO's

as you stated, the change only affects users that shouldnt be affected AFTER a user who is affected has been on the workstation.

i have never heard of anyone applying anything specific to content advisor via GPO but maybe it's simply a case of the GPO not undoing the alterations made to content advisor correctly when a user logs out as apposed to the GPO leaking onto users that shouldn't be affected. are you with me?

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.