ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to modify Group Policies impacting Domain Controllers?


Member

Posts: 14
Date: Jun 20, 2012
How to modify Group Policies impacting Domain Controllers?
Permalink  
 


Hello,

I would like to know how one can go about modifying the group policies impacting Domain Controllers in an Active Directory forest?

We are undergoing an audit and need to furnish a list of all individuals who have sufficient privilege to able to modify the group policy on our domain controllers, so we needed to know how to make this determination.

Thank you for your assistance in this regard.

Sincerely,

Manuel.



__________________
Eu amo futebol! Go Ronaldinho!


Newbie

Posts: 4
Date: Jun 27, 2012
RE: How to modify Group Policies impacting Domain Controllers?
Permalink  
 


Hi Manuel,

All domain controllers in a single domain share the same domain-controller policy, so if you want to have all domain controllers in a single forest share the same policy, you'll have to manually apply the same policy to all domains.

To set the group policy that applies to domain controllers, you need to open up ADU&C/Administrative Center, then navigate to the Domain Controllers OU, right-click on it, select Properties, then select Group Policy, and then you can modify all the settings.

You should be aware though that this a highly sensitive operation, so you should always ensure that only a small number of highly trusted people can do this, and you should always verify on a weekly basis as to who has the ability to modify these group policies.

Hope this helps.

Marc.



__________________

My blog on How to Audit and Report Security in Active Directory 



Member

Posts: 14
Date: Jul 20, 2012
RE: How to modify Group Policies impacting Domain Controllers?
Permalink  
 


Hello Marc,

Thank you for the info. This is exactly what I was looking.

Also, yes, we do realize that any changes made to the Domain Controller Group Policy are very sensitive, and so we have only given this ability to a few people, but like most companies, we're relying on trust here in that while we only grant the required rights to our most trusted admins, we don't actually know if there is a way to find out who can change the Domain Controller Group Policy.

In fact, I don't think there is any way to find out who can change who can link/unlink Group Policies from OUs in Active Directory, but I could be wrong.

Thanks again for your help.

Manuel.



__________________
Eu amo futebol! Go Ronaldinho!


Newbie

Posts: 4
Date: Jul 21, 2012
RE: How to modify Group Policies impacting Domain Controllers?
Permalink  
 


Manuel,

Actually, there is ONE way to find out who can change who can link/unlink Group Policies from OUs in Active Directory. There is an Active Directory security analysis tool called Gold Finger for AD, and one of the reports I've seen in it is - Who can change the list of group policies linked to organizational units?

As for relying on trust, you know what they say - Trust in God, but Lock your Car. I would not rely solely on trust; I would try to find out who all can modify the group policies linked to your Domain Controllers OU, lock it down if needed to a minimum number, and keep a good eye on it at all times.

Marc.



__________________

My blog on How to Audit and Report Security in Active Directory 

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me