Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

GPO Application

From: "Lantana PC" <mark () lantanapc com>
Date: Wed, 1 Feb 2006 15:28:13 -0500
Hi all. 

 

            So, everything I've learned about how GPO's are applied and
everything I've seen before today has told me that as long as a user has
read and execute permissions to the GPO and it is linked to a place they
reside and there's no block inheritance/no override/deny's anywhere, and
there's no policy affecting them after said policy, they will take the
settings. Today, I tried to remove the properties sheet from Local Area
Connections through the user side administrative templates. It only works on
users who are not local administrators and who aren't part of the Domain
Administrators group. I verified this by taking a random user from the OU
and removing them from the local administrators group (this is an attempt to
lock down developers who need local admin rights for IIS and whatnot). I
always thought that it doesn't matter what local group membership they have
when logging into a domain as far as GPO's are concerned. I ran RSoP and
gpresult, both show the GPO applies but the settings do not go into effect
unless the local administrator group membership is removed. I've checked the
registry key that is modified by the GPO and it is in effect in the user's
HKCU registry key even though the setting has no effect!!! There are only
two GPO's in the domain. Default Domain Policy, which hasn't been modified,
and this policy which I've set onto an OU where the account resides. I can't
find on Google or in my books anything saying that GPO's don't apply to
users who are local administrators <or domain administrators for that fact>.
I even remember once within a server 2000 environment I locked down my own
domain admin account to the point where I had no tools off the start menu!
The environment consists of only Windows XP workstations, Server 2003
workstations and of course windows server 2003 servers. The result is the
same regardless of whether or not it's an XP or 2003 workstation. Any ideas?
I'm stumped. 

 -Mark


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: