RE: W2k users, local admin rights and GPOs

["Sergey V. Gordeychik" <gordey () infosec ru>]

-----Original Message-----
From: James Exim [mailto:security () exim dyndns org] 
Sent: Wednesday, October 29, 2003 11:51 AM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] W2k users, local admin rights and GPOs

> It has been pointed out several times recently on the SF mailing lists
that
> a W2k user with local administrator rights can prevent group policy

So, Laura say, that they can. 
When I ask - HOW, she point me to the Windows NT 5.0 beta 2 Group Policy
Guide  (http://web.mit.edu/pismere/zaw/group-policy-white-paper.doc) and
HKLM\Software\Policies\Microsoft\Windows\System\DisableGPO parameter.
After some testing I found that DisableGPO have no effect. "Computer
Configutaion" part of policy still applied OK even DisableGPO=1 (so we
can overwrite it). Tested on W2K3 member server.
I think, that this and old solution that been replaced with "Group
Policy loopback" parameter.  

But I can be wrong.

Administrators _can_ disable some settings by direct modification of
registry, but can't prevent can't prevent group policy application.

I hope... 

> Is there really no workaround other than removing 
> the users from the local Administrators group?

I'ts very-very good idea :-)

Sorry, my English is very bad. 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html