Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Missing Group Policy settings


  • Please log in to reply
5 replies to this topic

#1
VoodooV

VoodooV

    Newbie

  • Member
  • 34 posts
  • Joined 17-August 07
I'm trying to create a group policy for Windows 7 to enable various security settings to create a NIST USGCB baseline. There are two settings under Computer Configuration\Policies\Administrative Templates\Network\Network Connections:

  • Require Domain users to elevate when setting a network location
  • Route all traffic through the internal network

but these settings simply do not appear for me. I have only four items available to me:

  • Windows Firewall (folder)
  • Prohibit installation and configuration of Network Bridge on your DNS domain network
  • Prohibit use of Internet Connection Firewall on your DNS domain network
  • Prohibit use of Internet Connection Sharing on your DNS domain network

My google-fu is failing me when I try to find any explanation as to why those two settings are missing. I checked out the NetworkConnections.admx file that's on the local pc that I'm creating the GPO on and I do see references to the two settings in question, but they just don't show up for me to configure them. Now I know when push comes to shove, I know the registry entries that they ultimately modify so I know I can resort to a registry edit if I have to, but I'd like to understand why those settings are missing. I tried updating my RSAT, I tried updating the ADMX files, I've tried editing the group policies from a 2K8 R2 server, but no luck.

Any ideas? Thanks in advance!


How to remove advertisement from MSFN

#2
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,912 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

Those two options are on my 2008 R2 DC, however mine has Service Pack 1 installed. Does yours?
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#3
VoodooV

VoodooV

    Newbie

  • Member
  • 34 posts
  • Joined 17-August 07
I was wondering if this wasn't more suited for the server forums, sorry about that.

Unfortunately, I don't have access to our domain controllers. We're a state agency and it was decided a few years back that a central agency would control everything so our agency is just an OU in the big state domain. We do have our own 2K8 R2 w/SP1 servers, but they aren't domain controllers. I tried loading up RSAT on one of those servers but I didn't get the options there either.

Last I heard, their DCs are 2K8 R2, but I have no idea if they have SP1 or not. Do you think it's a lack of SP1 that's causing the issue? If I get ahold of the domain admins, it would be nice if I had an idea what would fix it.

EDIT: I moved on to the next set of settings and it appears they are missing too:

There should be a group of settings called IPv6 Transition Technologies that should be under Computer Configuration\Administrative Templates\Network\TCPIP that just aren't there for me.

when I was researching this, I got the impression that all those settings are stored in those ADMX files on the local machine. Do our domain admins just need to update the admx files on the DC?

I know can do this through registry edits, but it would be tedious as hell

EDIT2: loaded up local group policy editor on my Win7 box. The settings are there. so I guess I do have a way to automate it now. I'm still thinking I aught to talk to our domain admins about this though since these are security features that are rather important

Edited by VoodooV, 19 January 2012 - 04:44 PM.


#4
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,912 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

If they are that important and you feel they should be instituted company wide, then they should be added to the domain GPOs rather than the local system. The reason for this is that it is easier to manage those settings. Say there is a problem down the road, the domain admin can easily disable that setting for testing, or even so create an OU for a pilot group that doesn't have that setting enabled/disabled.
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#5
IcemanND

IcemanND

    MSFN Junkie

  • Super Moderator
  • 3,266 posts
  • Joined 24-September 03
  • OS:Windows 7 x64
  • Country: Country Flag
If you can get or have the ADMX files that are needed for these settings you put them in the PolicyDefinitions folder in sysvol (where the GPOs are stored), everyone should have read rights in the space and if you have the ability to creae GPOs you should have write rights in the space to be able to do it.

#6
VoodooV

VoodooV

    Newbie

  • Member
  • 34 posts
  • Joined 17-August 07

If you can get or have the ADMX files that are needed for these settings you put them in the PolicyDefinitions folder in sysvol (where the GPOs are stored), everyone should have read rights in the space and if you have the ability to creae GPOs you should have write rights in the space to be able to do it.


You don't know how tempted I am to do that. But since it would affect everyone, not just our agency, I'm not about to mess with that (and my livelyhood). And yeah..I just took a peek, I found the sysvol policydefinitions folder on our domain. Oh so tempting! :) I'm no MCSE though and I see multiple domain controllers out there so I'm not going to mess with it myself

Besides, I'll derive more pleasure out of demonstrating to the powers that be that they need to keep up with our standards...again :) We found out who to contact to update that stuff so it should just be a matter of time now.

Thanks for pointing me in the right direction gang :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users