Re: Security Templates for GPOs

mkostersitz — Fri, 29 Oct 2004 05:21:47 GMT

No you should disable them first so that the Servers pick up the reversion of the settings if you just delete them the 'old' settings are left behind.

Mike

Re: Security Templates for GPOs

DmitriG — Wed, 27 Oct 2004 13:47:12 GMT

Thank you, guys.

Does it mean that I can safely delete all this GPOs?

Re: Security Templates for GPOs

mkostersitz — Wed, 27 Oct 2004 07:12:23 GMT

THanks for point this out.

The Templates are not required to run Hosted Exchange they are samples and mea culpa faulty ones.

I will fix the templates sometime soon and we will release an update.

HTH

Re: Security Templates for GPOs

jjstreic — Tue, 26 Oct 2004 19:33:18 GMT

I don't believe the templates are required for running Hosted Exchange. That being said they do have some appropriate security settings that you should evaluate deploying with your infrastructure.

I'm checking on the template reg key issue. It has been a long time since I have worked directly with templates so I am setting up a lab. I'll get back to you on that.

I have sent the product team your comments on the Domain Controller policy issue. I checked the documentation and I don't see any mention of prioritizing the policies either. I have sent this question back to the product team for comment.

Thanks!

Security Templates for GPOs

DmitriG — Fri, 22 Oct 2004 22:02:50 GMT

Greetings,

According to “Solutions for Windows-based Hosting with Hosted Exchange 2003” (Volume 6, Book 2) we create couple GPO and import based on Security Templates (DomainControllerV1.inf, mpsserver01.inf, etc.). Then we link those GPO’s to OU’s using GPMC. After moving computers to corresponding OU and applying GPO we receive Warning events in application log:

Source: SceCli
Event ID: 1202
Type: Warning
Description: Security policies were propagated with warning. 0xd : The data is invalid.

This event exists on ALL computers in reference infrastructure, so I will talk only about domain controller as an example because I think the root reason for this warning is the same for ALL Security Templates.

In winlogon.log file I found this messages:

----Configure Security Policy...
Configure password information.
Configure account force logoff information.
Guest account is disabled.

System Access configuration was completed successfully.
LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS).
Configure LSA anonymous lookup setting.
Configure log settings.

Audit/Log configuration was completed successfully.

Kerberos Policy configuration was completed successfully.
Configure hkey_local_machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Warning 3: The system cannot find the path specified.
Error configuring hkey_local_machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Configure hkey_local_machine\system\currentcontrolset\control\lsa\nolmhash.
Warning 3: The system cannot find the path specified.
Error configuring hkey_local_machine\system\currentcontrolset\control\lsa\nolmhash.
Configure hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
Warning 3: The system cannot find the path specified.
Error configuring hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
Configure hkey_local_machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity.
Warning 3: The system cannot find the path specified.
Error configuring hkey_local_machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity.
Configure machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
Configure machine\system\currentcontrolset\control\lsa\nolmhash.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
Configure machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal.
Configure machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity.

Configuration of Registry Values was completed with one or more errors.

To solve this problem I deleted WH-Domain controller GPO, updated DomainControllerV1.inf security template by replacing string “HKEY_LOCAL_MACHINE” with “MACHINE”, and recreate WH-Domain controller GPO using updated template. So, it solved the problem with Warning in event log on domain controller (and I think it will solve problem on other computers), but I figured out another problem on domain controller.

Almost all settings for Computer configuration\Windows settings\Local policies\ Security options in WH-Domain controller GPO are ineffective because Default Domain Controllers Policy GPO has higher priority than WH-Domain controller GPO (because of the procedure how to create and link policy to OU). For example Domain Controller: LDAP server signing requirements:

Default Domain Controllers Policy: None
WH-Domain controller: Require signing
Effective setting: None

Here are a couple of questions:
1. Should I worry about those GPO’s or I should live it as is?
2. How those policies affects hosting environment?
3. If this issue is critical then how to fix it?

Regards,

Dmitri Gaikovoi

Hosting Open Forum

Re: Security Templates for GPOs

Re: Security Templates for GPOs

Re: Security Templates for GPOs

Re: Security Templates for GPOs

Security Templates for GPOs