Security Basics mailing list archives
GPO Application
From: "Lantana PC" <mark () lantanapc com>
Date: Wed, 1 Feb 2006 15:28:13 -0500
Hi all. So, everything I've learned about how GPO's are applied and everything I've seen before today has told me that as long as a user has read and execute permissions to the GPO and it is linked to a place they reside and there's no block inheritance/no override/deny's anywhere, and there's no policy affecting them after said policy, they will take the settings. Today, I tried to remove the properties sheet from Local Area Connections through the user side administrative templates. It only works on users who are not local administrators and who aren't part of the Domain Administrators group. I verified this by taking a random user from the OU and removing them from the local administrators group (this is an attempt to lock down developers who need local admin rights for IIS and whatnot). I always thought that it doesn't matter what local group membership they have when logging into a domain as far as GPO's are concerned. I ran RSoP and gpresult, both show the GPO applies but the settings do not go into effect unless the local administrator group membership is removed. I've checked the registry key that is modified by the GPO and it is in effect in the user's HKCU registry key even though the setting has no effect!!! There are only two GPO's in the domain. Default Domain Policy, which hasn't been modified, and this policy which I've set onto an OU where the account resides. I can't find on Google or in my books anything saying that GPO's don't apply to users who are local administrators <or domain administrators for that fact>. I even remember once within a server 2000 environment I locked down my own domain admin account to the point where I had no tools off the start menu! The environment consists of only Windows XP workstations, Server 2003 workstations and of course windows server 2003 servers. The result is the same regardless of whether or not it's an XP or 2003 workstation. Any ideas? I'm stumped. -Mark --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- GPO Application Lantana PC (Feb 02)
- Re: GPO Application Ansgar -59cobalt- Wiechers (Feb 03)
- <Possible follow-ups>
- RE: GPO Application Ramsdell, Scott (Feb 05)