P1: GSB/FFX P2: GSB/FFX QC: IML/FFX T1: IML
WL040C-63 WL040/Bidgoli-Vol III-Ch-64 June 23, 2003 16:45 Char Count= 0
HOWW2K WORKS 795Computer ConfigurationOU-Linked Computer ConfigurationDomain-Linked Computer ConfigurationSite-Linked Computer ConfigurationLocal Computer ConfigurationUser ConfigurationOU-Linked User ConfigurationDomain-Linked User ConfigurationSite-Linked User ConfigurationLocal User ConfigurationFigure 2: Precedence of GPOs at different levels.applied. So the default GPO that is linked to a domain
will be overridden by linking a new GPO to the same do-
main. Still, a Domain Administrator or someone else with
sufficient privileges can reverse the order of precedence—
the default GPO can go into effect simply by using the
Group Policy Editor to reverse the order. Note that in
Figure 3, there are two policies, EES Policy and Default
Domain Policy, that are linked to the domain ees.test. EES
Policy is listed first and will prevail over the Default Do-
main Policy link. However, by highlighting EES Policy in
the Group Policy sheet shown in Figure 3 and then click-
ing “Down,” the Default Domain Policy can be made to
prevail.
Further complicating the situation is the fact that GPO
settings can be inherited, for example, from one site con-
tainer to its children or from one OU to its children. “Block
Inheritance” settings can be in place at the level of chil-
dren containers, however. “Block Inheritance” does ex-
actly what it implies. But if there is a “No Override” at
the higher level container (e.g., a parent site or OU), the
“No Override” prevails; GPO settings from the parent are
put into effect at the level of the child containers. Further-
more, inheritance does not work from one domain to its
children. To have the same GPO settings for a parent do-
main and its children, therefore, it is necessary to link all
the domains to the same GPO.
GPOs can profoundly affect W2K security. Consider
password policy, for instance, as shown in Figure 4. Set-
tings such as minimum password length and password
complexity (i.e., whether passwords can consist of any
set of characters or whether they must be constructed ac-
cording to specific rules, e.g., that they may not contain
the username and must include at least three of the fol-
lowing four categories of characters: uppercase EnglishTable 1How “No Override” Works“No Override” Applies
Level to GPOs Linked to
Site Child Sites
Domains
OUs
Child-OUs
Domain OUs
Child-OUs
OU Child-OUscharacters, lowercase English charact, numerals, and spe-
cial characters such as “&” and “/”) are embedded in
GPOs. These settings affect how difficult to crack W2K
passwords are. GPOs can be applied to a wide variety
of entities, including accounts, local computers, groups,
services, the W2K Registry, the W2K Event Log, objects
within Active Directory, and more.Accounts, Groups, and Organizational Units
As in NT, each W2K system has a default local Adminis-
trator account, the built-in superuser account for admin-
istering that system. A default Administrator account also
exists within each domain for the purpose of administer-
ing systems and resources throughout the domain. Addi-
tionally, there is a default local Guest account and also a
domain Guest account, both of which (fortunately) come
disabled by default. Any additional accounts must be cre-
ated by people or applications with the appropriate level
of rights.
W2K groups are more complicated than accounts.
W2K has four types of groups: local groups (for allowing
access and rights on a local W2K system), domain local
groups (which can encompass users or groups from any
trusted domain), global groups (which can allow access toFigure 3: Viewing Group Policy Object Links for a
domain.