RE: GPO Application

["Ramsdell, Scott" <sramsdell () stinsonmoheck com>]

Mark,

There is a dependent GPO setting that's likely catching you here.  You
also have to check "Enable Windows 2000 Network Connections settings for
Administrators".  

> From that policy, "By default, Network Connections group settings in
Windows XP Professional do not have the ability to prohibit the use of
features from Administrators."

> From the policy you applied, "If you enable this setting (and enable the
"Enable Network Connections settings for Administrators" setting), the
Properties button is disabled for Administrators."

I didn't test this, but give it a shot.

Regards,
Scott



-----Original Message-----
From: Lantana PC [mailto:mark () lantanapc com] 
Sent: Wednesday, February 01, 2006 2:28 PM
To: security-basics () securityfocus com
Subject: GPO Application

Hi all. 

 

            So, everything I've learned about how GPO's are applied and
everything I've seen before today has told me that as long as a user has
read and execute permissions to the GPO and it is linked to a place they
reside and there's no block inheritance/no override/deny's anywhere, and
there's no policy affecting them after said policy, they will take the
settings. Today, I tried to remove the properties sheet from Local Area
Connections through the user side administrative templates. It only
works on
users who are not local administrators and who aren't part of the Domain
Administrators group. I verified this by taking a random user from the
OU
and removing them from the local administrators group (this is an
attempt to
lock down developers who need local admin rights for IIS and whatnot). I
always thought that it doesn't matter what local group membership they
have
when logging into a domain as far as GPO's are concerned. I ran RSoP and
gpresult, both show the GPO applies but the settings do not go into
effect
unless the local administrator group membership is removed. I've checked
the
registry key that is modified by the GPO and it is in effect in the
user's
HKCU registry key even though the setting has no effect!!! There are
only
two GPO's in the domain. Default Domain Policy, which hasn't been
modified,
and this policy which I've set onto an OU where the account resides. I
can't
find on Google or in my books anything saying that GPO's don't apply to
users who are local administrators <or domain administrators for that
fact>.
I even remember once within a server 2000 environment I locked down my
own
domain admin account to the point where I had no tools off the start
menu!
The environment consists of only Windows XP workstations, Server 2003
workstations and of course windows server 2003 servers. The result is
the
same regardless of whether or not it's an XP or 2003 workstation. Any
ideas?
I'm stumped. 

 -Mark


------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting
experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity
Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---
 
 
This communication is from a law firm and may contain confidential and/or privileged information. If it has been sent 
to you in error, please contact the sender for instructions concerning return or destruction, and do not use or 
disclose the contents to others.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------