?? Can I "clone" a Local User Group ??

[Guest Tom Baxter]

Hi all,

 

I'm using Server 2003 (learning it, actually).

 

Is it possible to create a new local User Group based on the policies

assigned to an existing local group? In my case, I'd like to essentially

clone the "Remote Desktop Users" group and then add (or possibly remove)

some policies. The only reason I'm interested in doing this is to experiment

with groups & policies.

 

As a related question, how can I find *all* the policies assigned to a

particular group? For example, in the Local Security Policy tool I can see

that the "Remote Desktop Users" group has the "Allow log on through Terminal

Services" policy applied. How can I find *all* the policies that apply to

the "Remote Desktop Users" group (or any group)?

 

Thank you very much.

 

--

Tom Baxter

[Guest Roger Abell [MVP]]

Re: ?? Can I "clone" a Local User Group ??

 

Since one does not assign policies to groups, or at least

there is no standard meaning to that phrase as far as I know

it seems I have to ask what you mean.

 

None-the-less, in general there is no magic "clone this"

button. Some groups have uses reconfigured, such as

Remote Desktop Users does in the Terminal Services

configuration and in user rights, and these are unique

per group that does have these. There is no way to say,

make a group named X that has all of the grants currently

given to Remote Desktop Users group.

 

Roger

 

"Tom Baxter" <tlbaxter99@yahoo.com> wrote in message

news:OSIlxm%23WIHA.5208@TK2MSFTNGP04.phx.gbl...

> Hi all,

>

> I'm using Server 2003 (learning it, actually).

>

> Is it possible to create a new local User Group based on the policies

> assigned to an existing local group? In my case, I'd like to essentially

> clone the "Remote Desktop Users" group and then add (or possibly remove)

> some policies. The only reason I'm interested in doing this is to

> experiment with groups & policies.

>

> As a related question, how can I find *all* the policies assigned to a

> particular group? For example, in the Local Security Policy tool I can see

> that the "Remote Desktop Users" group has the "Allow log on through

> Terminal Services" policy applied. How can I find *all* the policies that

> apply to the "Remote Desktop Users" group (or any group)?

>

> Thank you very much.

>

> --

> Tom Baxter

>

>

>

>

[Guest Tom Baxter]

Re: ?? Can I "clone" a Local User Group ??

 

Thank your for the reply, Roger. I have more below.

 

 

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

news:%23Dh7sA$WIHA.3400@TK2MSFTNGP03.phx.gbl...

> Since one does not assign policies to groups, or at least

> there is no standard meaning to that phrase as far as I know

> it seems I have to ask what you mean.

 

 

 

I'm very new to Server 2003 so please forgive such a newbie question.

 

Roger, you said, "...one does not assign policies to groups...". But if I go

into the "Local Security Policy" tool, I can assign several policies to

groups. The are many groups that have policies assigned to them (e.g.,

"Access this computer from the network", "Allow logon through terminal

Services", etc.).

 

The "Local Security Policy" tool shows which policies have been assigned to

which users/groups. I don't know if there are additional policies *not*

shown by the "Local Security Policy" tool that can be assigned to groups.

 

What I was hoping to do is to pick up a group (say, "Remote Desktop Users")

and determine *all* policies applied to that group.

 

Is there such a tool available?

 

Thanks.

 

 

 

> None-the-less, in general there is no magic "clone this"

> button. Some groups have uses reconfigured, such as

> Remote Desktop Users does in the Terminal Services

> configuration and in user rights, and these are unique

> per group that does have these. There is no way to say,

> make a group named X that has all of the grants currently

> given to Remote Desktop Users group.

>

> Roger

>

> "Tom Baxter" <tlbaxter99@yahoo.com> wrote in message

> news:OSIlxm%23WIHA.5208@TK2MSFTNGP04.phx.gbl...

>> Hi all,

>>

>> I'm using Server 2003 (learning it, actually).

>>

>> Is it possible to create a new local User Group based on the policies

>> assigned to an existing local group? In my case, I'd like to essentially

>> clone the "Remote Desktop Users" group and then add (or possibly remove)

>> some policies. The only reason I'm interested in doing this is to

>> experiment with groups & policies.

>>

>> As a related question, how can I find *all* the policies assigned to a

>> particular group? For example, in the Local Security Policy tool I can

>> see that the "Remote Desktop Users" group has the "Allow log on through

>> Terminal Services" policy applied. How can I find *all* the policies that

>> apply to the "Remote Desktop Users" group (or any group)?

>>

>> Thank you very much.

>>

>> --

>> Tom Baxter

>>

>>

>>

>>

>

>

[Guest Roger Abell [MVP]]

Re: ?? Can I "clone" a Local User Group ??

 

Hi Tom,

 

some comments within, and no, there is no such tool.

 

Roger

 

"Tom Baxter" <tlbaxter99@yahoo.com> wrote in message

news:%23rUTdREXIHA.1132@TK2MSFTNGP06.phx.gbl...

> Thank your for the reply, Roger. I have more below.

>

>

> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

> news:%23Dh7sA$WIHA.3400@TK2MSFTNGP03.phx.gbl...

>> Since one does not assign policies to groups, or at least

>> there is no standard meaning to that phrase as far as I know

>> it seems I have to ask what you mean.

>

>

>

> I'm very new to Server 2003 so please forgive such a newbie question.

>

> Roger, you said, "...one does not assign policies to groups...". But if I

> go into the "Local Security Policy" tool, I can assign several policies to

> groups. The are many groups that have policies assigned to them (e.g.,

> "Access this computer from the network", "Allow logon through terminal

> Services", etc.).

>

 

OK, I see what you are meaning, but I think you are sort of

inventing your own terminology here.

Some policies are new with the advent of group policy,

while other policies only reflect what already exisited.

In an enterprise (ie. domain environment) GPOs can be

filtered by security group to control the application of

that collection of policies (but we do not call that assigning

to the group). The policies you mention are governing user

rights, which are (pre-exisiting group policy) rights that may

be granted to principals (users or groups). So for these your

use of assign is equivalent to the more commen "grant".

It is just words, but it threw me off.

> The "Local Security Policy" tool shows which policies have been assigned

> to which users/groups. I don't know if there are additional policies *not*

> shown by the "Local Security Policy" tool that can be assigned to groups.

 

OK, but I see that as it showing to which groups certain user

rights have been granted. There are many configuration settings,

some of which have been reflected as policies.

Take you Remote Desktop Users group for example.

That group comes preconfigured (seems I omitted the p in the

first posting I made, getting reconfigured) such that it has the

user right to log on via terminal services, which does surface

in policy. That group however also has a grant in the config

of Terminal Services that allows TS login as a user, and that

is not surfaced as a policy.

>

> What I was hoping to do is to pick up a group (say, "Remote Desktop

> Users") and determine *all* policies applied to that group.

>

 

Policies are items in group policy (which also may include

preferences, something that strictly speaking are not policies).

You are saying policies to mean any control setting, whether

in group policy or not. There is no such tool to my awareness.

If you wanted to inventory policies granted to some group then

one could export a report of a GPO and then parse that in script

looking for the group. That would not work for local policy,

and it would also be overkill as most policies do not name groups

that receive grants (such as does happen with the user right policies)

> Is there such a tool available?

 

doubtful

>

>

>

>> None-the-less, in general there is no magic "clone this"

>> button. Some groups have uses reconfigured, such as

>> Remote Desktop Users does in the Terminal Services

>> configuration and in user rights, and these are unique

>> per group that does have these. There is no way to say,

>> make a group named X that has all of the grants currently

>> given to Remote Desktop Users group.

>>

>> Roger

>>

>> "Tom Baxter" <tlbaxter99@yahoo.com> wrote in message

>> news:OSIlxm%23WIHA.5208@TK2MSFTNGP04.phx.gbl...

>>> Hi all,

>>>

>>> I'm using Server 2003 (learning it, actually).

>>>

>>> Is it possible to create a new local User Group based on the policies

>>> assigned to an existing local group? In my case, I'd like to essentially

>>> clone the "Remote Desktop Users" group and then add (or possibly remove)

>>> some policies. The only reason I'm interested in doing this is to

>>> experiment with groups & policies.

>>>

>>> As a related question, how can I find *all* the policies assigned to a

>>> particular group? For example, in the Local Security Policy tool I can

>>> see that the "Remote Desktop Users" group has the "Allow log on through

>>> Terminal Services" policy applied. How can I find *all* the policies

>>> that apply to the "Remote Desktop Users" group (or any group)?

>>>

>>> Thank you very much.

>>>

>>> --

>>> Tom Baxter

>>>

>>>

>>>

>>>

>>

>>

>

>

[Guest Tom Baxter]

Re: ?? Can I "clone" a Local User Group ??

 

Thank you for the reply, Roger. I would be lying if I said I understood

everything you said but I understand things *better*, thanks to your

comments. I need to keep reading.

 

Thank you again.

 

--

Tom Baxter

 

 

 

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

news:ukXE0rIXIHA.3556@TK2MSFTNGP02.phx.gbl...

> Hi Tom,

>

> some comments within, and no, there is no such tool.

>

> Roger

>

> "Tom Baxter" <tlbaxter99@yahoo.com> wrote in message

> news:%23rUTdREXIHA.1132@TK2MSFTNGP06.phx.gbl...

>> Thank your for the reply, Roger. I have more below.

>>

>>

>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>> news:%23Dh7sA$WIHA.3400@TK2MSFTNGP03.phx.gbl...

>>> Since one does not assign policies to groups, or at least

>>> there is no standard meaning to that phrase as far as I know

>>> it seems I have to ask what you mean.

>>

>>

>>

>> I'm very new to Server 2003 so please forgive such a newbie question.

>>

>> Roger, you said, "...one does not assign policies to groups...". But if I

>> go into the "Local Security Policy" tool, I can assign several policies

>> to groups. The are many groups that have policies assigned to them (e.g.,

>> "Access this computer from the network", "Allow logon through terminal

>> Services", etc.).

>>

>

> OK, I see what you are meaning, but I think you are sort of

> inventing your own terminology here.

> Some policies are new with the advent of group policy,

> while other policies only reflect what already exisited.

> In an enterprise (ie. domain environment) GPOs can be

> filtered by security group to control the application of

> that collection of policies (but we do not call that assigning

> to the group). The policies you mention are governing user

> rights, which are (pre-exisiting group policy) rights that may

> be granted to principals (users or groups). So for these your

> use of assign is equivalent to the more commen "grant".

> It is just words, but it threw me off.

>

>> The "Local Security Policy" tool shows which policies have been assigned

>> to which users/groups. I don't know if there are additional policies

>> *not* shown by the "Local Security Policy" tool that can be assigned to

>> groups.

>

> OK, but I see that as it showing to which groups certain user

> rights have been granted. There are many configuration settings,

> some of which have been reflected as policies.

> Take you Remote Desktop Users group for example.

> That group comes preconfigured (seems I omitted the p in the

> first posting I made, getting reconfigured) such that it has the

> user right to log on via terminal services, which does surface

> in policy. That group however also has a grant in the config

> of Terminal Services that allows TS login as a user, and that

> is not surfaced as a policy.

>

>>

>> What I was hoping to do is to pick up a group (say, "Remote Desktop

>> Users") and determine *all* policies applied to that group.

>>

>

> Policies are items in group policy (which also may include

> preferences, something that strictly speaking are not policies).

> You are saying policies to mean any control setting, whether

> in group policy or not. There is no such tool to my awareness.

> If you wanted to inventory policies granted to some group then

> one could export a report of a GPO and then parse that in script

> looking for the group. That would not work for local policy,

> and it would also be overkill as most policies do not name groups

> that receive grants (such as does happen with the user right policies)

>

>> Is there such a tool available?

>

> doubtful

>

>>

>>

>>

>>> None-the-less, in general there is no magic "clone this"

>>> button. Some groups have uses reconfigured, such as

>>> Remote Desktop Users does in the Terminal Services

>>> configuration and in user rights, and these are unique

>>> per group that does have these. There is no way to say,

>>> make a group named X that has all of the grants currently

>>> given to Remote Desktop Users group.

>>>

>>> Roger

>>>

>>> "Tom Baxter" <tlbaxter99@yahoo.com> wrote in message

>>> news:OSIlxm%23WIHA.5208@TK2MSFTNGP04.phx.gbl...

>>>> Hi all,

>>>>

>>>> I'm using Server 2003 (learning it, actually).

>>>>

>>>> Is it possible to create a new local User Group based on the policies

>>>> assigned to an existing local group? In my case, I'd like to

>>>> essentially clone the "Remote Desktop Users" group and then add (or

>>>> possibly remove) some policies. The only reason I'm interested in doing

>>>> this is to experiment with groups & policies.

>>>>

>>>> As a related question, how can I find *all* the policies assigned to a

>>>> particular group? For example, in the Local Security Policy tool I can

>>>> see that the "Remote Desktop Users" group has the "Allow log on through

>>>> Terminal Services" policy applied. How can I find *all* the policies

>>>> that apply to the "Remote Desktop Users" group (or any group)?

>>>>

>>>> Thank you very much.

>>>>

>>>> --

>>>> Tom Baxter

>>>>

>>>>

>>>>

>>>>

>>>

>>>

>>

>>

>

>