Jump to content

Missing Group Policy settings


VoodooV

Recommended Posts

I'm trying to create a group policy for Windows 7 to enable various security settings to create a NIST USGCB baseline. There are two settings under Computer Configuration\Policies\Administrative Templates\Network\Network Connections:

  • Require Domain users to elevate when setting a network location
  • Route all traffic through the internal network

but these settings simply do not appear for me. I have only four items available to me:

  • Windows Firewall (folder)
  • Prohibit installation and configuration of Network Bridge on your DNS domain network
  • Prohibit use of Internet Connection Firewall on your DNS domain network
  • Prohibit use of Internet Connection Sharing on your DNS domain network

My google-fu is failing me when I try to find any explanation as to why those two settings are missing. I checked out the NetworkConnections.admx file that's on the local pc that I'm creating the GPO on and I do see references to the two settings in question, but they just don't show up for me to configure them. Now I know when push comes to shove, I know the registry entries that they ultimately modify so I know I can resort to a registry edit if I have to, but I'd like to understand why those settings are missing. I tried updating my RSAT, I tried updating the ADMX files, I've tried editing the group policies from a 2K8 R2 server, but no luck.

Any ideas? Thanks in advance!

Link to comment
Share on other sites


I was wondering if this wasn't more suited for the server forums, sorry about that.

Unfortunately, I don't have access to our domain controllers. We're a state agency and it was decided a few years back that a central agency would control everything so our agency is just an OU in the big state domain. We do have our own 2K8 R2 w/SP1 servers, but they aren't domain controllers. I tried loading up RSAT on one of those servers but I didn't get the options there either.

Last I heard, their DCs are 2K8 R2, but I have no idea if they have SP1 or not. Do you think it's a lack of SP1 that's causing the issue? If I get ahold of the domain admins, it would be nice if I had an idea what would fix it.

EDIT: I moved on to the next set of settings and it appears they are missing too:

There should be a group of settings called IPv6 Transition Technologies that should be under Computer Configuration\Administrative Templates\Network\TCPIP that just aren't there for me.

when I was researching this, I got the impression that all those settings are stored in those ADMX files on the local machine. Do our domain admins just need to update the admx files on the DC?

I know can do this through registry edits, but it would be tedious as hell

EDIT2: loaded up local group policy editor on my Win7 box. The settings are there. so I guess I do have a way to automate it now. I'm still thinking I aught to talk to our domain admins about this though since these are security features that are rather important

Edited by VoodooV
Link to comment
Share on other sites

If they are that important and you feel they should be instituted company wide, then they should be added to the domain GPOs rather than the local system. The reason for this is that it is easier to manage those settings. Say there is a problem down the road, the domain admin can easily disable that setting for testing, or even so create an OU for a pilot group that doesn't have that setting enabled/disabled.

Link to comment
Share on other sites

If you can get or have the ADMX files that are needed for these settings you put them in the PolicyDefinitions folder in sysvol (where the GPOs are stored), everyone should have read rights in the space and if you have the ability to creae GPOs you should have write rights in the space to be able to do it.

Link to comment
Share on other sites

If you can get or have the ADMX files that are needed for these settings you put them in the PolicyDefinitions folder in sysvol (where the GPOs are stored), everyone should have read rights in the space and if you have the ability to creae GPOs you should have write rights in the space to be able to do it.

You don't know how tempted I am to do that. But since it would affect everyone, not just our agency, I'm not about to mess with that (and my livelyhood). And yeah..I just took a peek, I found the sysvol policydefinitions folder on our domain. Oh so tempting! :) I'm no MCSE though and I see multiple domain controllers out there so I'm not going to mess with it myself

Besides, I'll derive more pleasure out of demonstrating to the powers that be that they need to keep up with our standards...again :) We found out who to contact to update that stuff so it should just be a matter of time now.

Thanks for pointing me in the right direction gang :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...