View and SteadyState…
April 8th, 2009 by Nick Ohanian received Comments OffSo, I was presented with a unique opportunity to allow a 3rd party into our network by way of any secured means to transfer files. My initial thought is this would be a slam dunk as their own requirement was to have a way to transfer files from one to another. Yeah.. I know what you are thinking, go ahead and install Linux, harden the system, set-up local users and lock them to a directory and then configure sftp, DONE. Well, after our kick-off meeting things started to get more complex (as they always do) once you start asking detailed questions and trying to map out some logical work flow chart in your head.
I was going to just do local policies but figured why not try and use SteadyState as I used prior for all of our kiosk terminals that the public use.
After reading through the documentation (Windows SteadyState Handbook), I stumbled upon page 57 in which it states:
“When considering the installation of Windows SteadyState on shared computers that are connected to a domain network, Group Policy is more effective than using Windows SteadyState for restricting multiple user accounts across numerous computers on a domain network.”
I installed the following file through the Group Policy Object Editor snap-in SCTSettings.adm. This file can be found (if you installed in the default location) in c:\Program Files\Windows SteadyState\ADM
There is a little trick in getting this to work correctly and I’ll elaborate a bit more below. Essentially group policies applies to the user or computer that is dependent upon where both the user and the computer objects are located in Active Directory. However, in our case, the users resided in a different location from the computer object. Luckily, there is a way to rectify this situation and enable your new shiny group policy to work with your users that are not inside that OU that you are placing your workstations in. *drum roll* You can use the Group Policy loopback feature that is located inside your GPO. To navigate there and check the box go to the Group Policy Management.
To enable this group policy management, follow these steps:
1. In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
2. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option.
Now your GPO ties in with your OU which in turn allows your computer accounts and user accounts to work in conjunction with one another. The next step is to keep the Group Policies from Applying to Administrator Accounts. In most cases, if you want a group policy to apply to a specific account you can easily do this by placing the accounts in an OU, and then apply the group policy to the OU level. This of course holds true for user accounts, machine accounts, or a combination of the two. Yet in this case we do not want these policy settings to apply to our administrator accounts in terms of being able to manage the machines. I found the following procedure from Microsoft’s technet in which case it will allow us to keep a group policy from applying to our admin accounts or any other group or account we specify by digging into the ACL’s for the policy :p.
1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the left console tree, right-click the name of the domain to which the policy is applied, and then click Properties.
3. Click the Group Policy tab.
4. Click the group policy object that you do not want to apply to administrators. By default, the only policy that is listed in the window is the Default Domain Policy.
5. Click Properties, and then click the Security tab. If the group or user to which you do not want policies to apply does not appear in the list, use the following procedure:
1. Click the Add button.
2. Click the domain in which the account resides.
3. Find the account, and then click it in the list.
4. Click the Add button, and then click OK.
5. Proceed with the remaining steps.
6. Click the administrators group (or other group or user) to which you do not want the policy to apply.
7. In the Permissions windows, click to select the Deny check box for the Apply Group Policy permission. This prevents the group policy object from being accessed and applied to the selected group or user account.
Tags: GPO, Microsoft, steadystate, VMWare View
Posted under: VMWare View
