How are group policy's security settings and AD object's security settings related?

san

How are the security settings of group policy object and AD object
related? So far, from what I read, it seems that AD object's ACLs
affect only in the context of AD while group policy object's security
settings affect the actual computer device, service, and users. Am I
on the right track? Also, it seems that group policy object's security
settings doesn't utilize ACL mechanism, instead they use registries
and other means. Is it possible to have a conflict between the two
security settings?

TYVM

San,

Herb Martin

"san" <sangwoo.im@gmail.com> wrote in message
news:1181836294.105632.290510@q19g2000prn.googlegr oups.com...
> How are the security settings of group policy object and AD object
> related?

Depends on what you mean by GPO security.

GPOs *are* AD objects and in that sense the permissions are precisely
the same in terms of setting them as any other AD object -- there vary
only in what the permissions means, similar to the way that permissions
vary for container objects (OUs and NTFS directories) vs. leaf objects
(e.g., users, computers, and NTFS files). There are just different meanings
for each permission (possibly.)

INSIDE of a GPO you can use it to SET the NTFS, Registry, or Service
permissions for each of those items on the affected machines when the GPO
is applied.

> So far, from what I read, it seems that AD object's ACLs
> affect only in the context of AD while group policy object's security
> settings affect the actual computer device, service, and users. Am I
> on the right track?

Sounds like you are referring to the GPO "settings" intended to apply
to the computer when the GPO is applied (as opposed to controlling
who can do what to the GPO itself in AD.)

> Also, it seems that group policy object's security
> settings doesn't utilize ACL mechanism, instead they use registries
> and other means. Is it possible to have a conflict between the two
> security settings?

I don't think so but it is still unclear precisely what you are asking.


--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)

san

H. Martin,

Thanks for the answer. I'm still in the myth of AD's security. All AD
books were not good enough to me on making clear explanations to the
security. So, what I know is that ACL's in each AD object is an
nTSecurityDescriptor attribute value. And, GPO's security settings
seem to be stored in a registry? (not sure). It's just weird, no
books mentioned about GPO's nTSecurityDescriptor attribute while they
explained the security settings of GPOs.

Thanks!

San

On Jun 14, 12:45 pm, "Herb Martin" <n...@learnquick.com> wrote:
> "san" <sangwoo...@gmail.com> wrote in message
>
> news:1181836294.105632.290510@q19g2000prn.googlegr oups.com...
>
> > How are the security settings of group policy object and AD object
> > related?
>
> Depends on what you mean by GPO security.
>
> GPOs *are* AD objects and in that sense the permissions are precisely
> the same in terms of setting them as any other AD object -- there vary
> only in what the permissions means, similar to the way that permissions
> vary for container objects (OUs and NTFS directories) vs. leaf objects
> (e.g., users, computers, and NTFS files). There are just different meanings
> for each permission (possibly.)
>
> INSIDE of a GPO you can use it to SET the NTFS, Registry, or Service
> permissions for each of those items on the affected machines when the GPO
> is applied.
>
> > So far, from what I read, it seems that AD object's ACLs
> > affect only in the context of AD while group policy object's security
> > settings affect the actual computer device, service, and users. Am I
> > on the right track?
>
> Sounds like you are referring to the GPO "settings" intended to apply
> to the computer when the GPO is applied (as opposed to controlling
> who can do what to the GPO itself in AD.)
>
> > Also, it seems that group policy object's security
> > settings doesn't utilize ACL mechanism, instead they use registries
> > and other means. Is it possible to have a conflict between the two
> > security settings?
>
> I don't think so but it is still unclear precisely what you are asking.
>
> --
> Herb Martin, MCSE, MVPhttp://www.LearnQuick.Com
> (phone on web site)

Herb Martin

"san" <sangwoo.im@gmail.com> wrote in message
news:1181840854.487147.164080@z28g2000prd.googlegr oups.com...
> H. Martin,
>
> Thanks for the answer. I'm still in the myth of AD's security. All AD
> books were not good enough to me on making clear explanations to the
> security.

> So, what I know is that ACL's in each AD object is an
> nTSecurityDescriptor attribute value. And, GPO's security settings
> seem to be stored in a registry? (not sure). It's just weird, no
> books mentioned about GPO's nTSecurityDescriptor attribute while they
> explained the security settings of GPOs.

You still aren't being clear but it sounds like you are distinguishing AD
security from the security APPLIED by a GPO.

I don't believe either are kept in the registry (they aren't) -- the GPO
settings for applications are kept in a FILE in SysVol though.

Mostly it sounds like you may be making this harder than it is, so what
are you really trying to DO, or what is your actual GOAL?

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)

> Thanks!
>
> San
>
> On Jun 14, 12:45 pm, "Herb Martin" <n...@learnquick.com> wrote:
>> "san" <sangwoo...@gmail.com> wrote in message
>>
>> news:1181836294.105632.290510@q19g2000prn.googlegr oups.com...
>>
>> > How are the security settings of group policy object and AD object
>> > related?
>>
>> Depends on what you mean by GPO security.
>>
>> GPOs *are* AD objects and in that sense the permissions are precisely
>> the same in terms of setting them as any other AD object -- there vary
>> only in what the permissions means, similar to the way that permissions
>> vary for container objects (OUs and NTFS directories) vs. leaf objects
>> (e.g., users, computers, and NTFS files). There are just different
>> meanings
>> for each permission (possibly.)
>>
>> INSIDE of a GPO you can use it to SET the NTFS, Registry, or Service
>> permissions for each of those items on the affected machines when the GPO
>> is applied.
>>
>> > So far, from what I read, it seems that AD object's ACLs
>> > affect only in the context of AD while group policy object's security
>> > settings affect the actual computer device, service, and users. Am I
>> > on the right track?
>>
>> Sounds like you are referring to the GPO "settings" intended to apply
>> to the computer when the GPO is applied (as opposed to controlling
>> who can do what to the GPO itself in AD.)
>>
>> > Also, it seems that group policy object's security
>> > settings doesn't utilize ACL mechanism, instead they use registries
>> > and other means. Is it possible to have a conflict between the two
>> > security settings?
>>
>> I don't think so but it is still unclear precisely what you are asking.
>>
>> --
>> Herb Martin, MCSE, MVPhttp://www.LearnQuick.Com
>> (phone on web site)
>
>