Click any folder under Security Templates, and in the right pane, you'll see folders that correspond to everything you can control with security templates:
- Account Policies—for controlling password, lockout, and Kerberos policies
- Local Policies—for controlling audit settings, user rights, and security settings
- Event Log—for controlling event-log settings and the NT Event Viewer
- Restricted Groups—for controlling what does and doesn't go into various local groups
- System Services—for turning on and off services and controlling who has the rights to modify system services
- Registry—for controlling permissions to change or view a specific registry key and enabling change auditing for keys
- File System—for controlling NTFS permissions on folders and files
Creating a Template
Enough sightseeing; let's build a template from scratch. Right-click the template path (my path is C:\windows\security\templates, but yours might be different), then choose New Template and enter a name. Let's call this template Simple. The new template will appear as a folder in the left pane, below the prebuilt templates. Now, just for kicks, let's restrict the Administrators group, set the ACLs on C:\adminstuff, and shut down the Indexing Service. We can do all this through the folders under Simple.
First, let's clean out the Administrators group and add only the local Administrator and the domain's Domain Admins group to the Administrators group. Expand Simple and click the Restricted Groups folder. If you're working on an XP box, you'll see There are no items to show in this view in the right pane; if you're working on a Win2K box, nothing will appear in the right pane. Right-click Restricted Groups and choose Add Group. In the Add Group dialog box, click Browse and choose your workstation or member server's local Administrators group. Be sure to choose the Administrators group from your local computer rather than from your domain; if you're logged on to your workstation with a domain account, the Browse dialog box will assume that you want to add items from the domain—not from your workstation's or member server's local SAM. (Or, you can skip the browsing process and simply type Administrators in the Add Group dialog box.) After you return to the Add Group dialog box, click OK. If you're working on an XP system, you'll immediately see a new dialog box called Administrators Properties. (If you're working on a Win2K system, you need to right-click Administrators in the right pane and choose Security to access this dialog box, which Win2K labels Configure Membership for Administrators.)
In this dialog box, you'll see an upper section labeled Members of this group and a lower section labeled This group is a member of. In the upper section, click Add to access the Add Member dialog box. If you're running Win2K, click Browse, and select the Domain Admins group from your domain. If you're using XP, clicking Browse takes you to the Select Users or Groups dialog box, but Domain Admins doesn't appear in the list. In XP, you need to first click Object Types, select Groups, and click OK to return to the Select Users or Groups dialog box. Then, choose Domain Admins, click OK to return to Add User, and click OK to return to the Administrators Properties dialog box. Follow the same steps to add the local Administrator account, then click OK.
Prev. page
1
[2]
3
next page 
