[gptalk] Re: GPMC console / Editing GP for 2000 SP4 server

• From: "Ranjan Babu .G" <ranjan.ganesh@xxxxxxxxxx>
• To: <gptalk@xxxxxxxxxxxxx>
• Date: Mon, 14 May 2007 19:18:30 +0530

Hi,

 

It will work fine .

 

Now I have one more query 

Below group policy settings which is available in 20003 and  not in 2000 server.

If I apply these setting any will effect the windows 2000 server?

 

Thanks and Regards,

Ranjan

 

2003

Allow log on locally

User Rights security settings are not registry keys

2003

Allow log on through Terminal Services

User Rights security settings are not registry keys

2003

Deny log on through Terminal Services

User Rights security settings are not registry keys

2003

Perform volume maintenance tasks

User Rights security settings are not registry keys

2003

Accounts: Administrator account status

Not a registry key

2003

Accounts: Guest account status

Not a registry key

2003

Accounts: Limit local account use of blank passwords to console logon only

MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse

2003

DCOM: Machine Access Restrictions in Security Descriptor Definition Language 
(SDDL) syntax

MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineAccessRestriction

2003

DCOM: Machine Launch Restrictions in Security Descriptor Definition Language 
(SDDL) syntax

MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction

2003

Devices: Allow undock without having to log on

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon

2003

Devices: Restrict CD-ROM access to locally logged-on user only

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms

2003

Domain controller: LDAP server signing requirements

MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity

2003

Domain controller: Refuse machine account password changes

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange

2003

Domain member: Maximum machine account password age

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge

2003

Interactive logon: Require Domain Controller authentication to unlock 
workstation

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon

2003

Interactive logon: Require smart card

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption

2003

Network access: Allow anonymous SID/Name translation

Not a registry key

2003

Network access: Do not allow anonymous enumeration of SAM accounts

MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM

2003

Network access: Do not allow storage of credentials or .NET Passports for 
network authentication

MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds

2003

Network access: Let Everyone permissions apply to anonymous users

MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous

2003

Network access: Named Pipes that can be accessed anonymously

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes

2003

Network access: Remotely accessible registry paths

MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine

2003

Network access: Remotely accessible registry paths

MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine

2003

Network access: Remotely accessible registry paths and subpaths

MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine

2003

Network access: Restrict anonymous access to Named Pipes and Shares

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares

2003

Network access: Shares that can be accessed anonymously

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares
 

2003

Network access: Sharing and security model for local accounts

MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest

2003

Network security: Do not store LAN Manager hash value on next password change

MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash

2003

Network security: Force logoff when logon hours expire

Not a registry key

2003

Network security: LDAP client signing requirements

MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity

2003

Network security: Minimum session security for NTLM SSP based (including secure 
RPC) clients

MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec

2003

Network security: Minimum session security for NTLM SSP based (including secure 
RPC) servers

MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec

2003

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and 
signing

MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy

2003

System Cryptography: Force strong key protection for user keys stored on the 
computer

MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection

2003

System objects: Default owner for objects created by members of the 
Administrators group

MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner

2003

System objects: Require case insensitivity for non-Windows subsystems

MACHINE\System\CurrentControlSet\Control\Session 
Manager\Kernel\ObCaseInsensitive

2003

Full Policy Name

Registry Settings

2003

System settings: Optional subsystems

MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional

2003

System settings: Use Certificate Rules on Windows Executables for Software 
Restriction Policies

MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled

 

 

 

        -----Original Message----- 
        From: Ranjan Babu .G 
        Sent: Mon 5/14/2007 12:48 PM 
        To: gptalk@xxxxxxxxxxxxx 
        Cc: 
        Subject: GPMC console / Editing GP for 2000 SP4 server
        
        

         

        Hi,

         

        I have been Using GPMC sp1 on windows 2003 server to manage my GP.

        We modified SVRGL file to add MSS setting based on CIS recommendation 
and applied group policy working fine for all windows 2003 servers .

         

        Now my problem i want modify the GP setting for windows 2000 server SP4 
in OU level 

        And i need to add additional registry entry as per MSS for windows 2000 
server.

         

        Which is best option to carry out for windows 2000 serever?

         

        I am planning to do  it from windows 2000 server , first modify MSS 
setting  in the SVRGRL INF file then i will modify /manage GP  only for  
windows 2000 server  from OU level. It should work .My concern if i do like 
this is any issues will arise .

         

        Does anyone have any ideas? 

         

        Thanks and Regards,

        Ranjan

                 

• References:
  • [gptalk] Re: How to Apply Policy for system in workgroup or standalone
    • From: Ranjan Babu .G
  • [gptalk] GPMC console / Editing GP for 2000 SP4 server
    • From: Ranjan Babu .G

Other related posts:

• » [gptalk] GPMC console / Editing GP for 2000 SP4 server
• » [gptalk] Re: GPMC console / Editing GP for 2000 SP4 server

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription