Re: Windoze GPO Question

["Steve Armstrong" <stevearmstrong () logicallysecure com>]

Gpo's are always applied - otherwise the client could undo security  
and other features when away from the DC. Remember they are not  
connected to the domain, but they are still part of it.

Try making an ou for laptop users that have permissions to apply other  
dhcp settings.

Plus they should not be logging into 'this computer'. It will mess up  
their settings. If you have remote connectivity you still want users  
logging into the domain, and this will also allow them to use domain  
resourses remotely without having to sign on again.

Having users operating with local accounts on laptops is bad as these  
are not subject to domain password policy etc as this is defined on  
the local system. This usually means users can have blank passwords it  
the same ones for years - neither if which are good.

Remember gpo's are for both the machine and the user. Until the  
machine is removed from the domain, domain gpo's will be applied. This  
is regardless of the users status (domain or local).

But that's all windows (note spelling) domain/active directory basics  
- not really doze!

Steve Armstrong

Technical Security Director
Logically Secure

Tel. 01522 689799
Mob. 07970 929583

(sent from a mobile device, so please excuse any typos)

On 10 Nov 2008, at 21:33, "Jon Kibler" <Jon.Kibler () aset com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> This may be slightly off topic, but I have a question about GPO scope.
>
> I have a client that has a bunch of sales people who have laptops.  
> When
> they come into their office, they login to the domain. When they are  
> on
> the road, they login to 'this computer.'
>
> The problem that the client is seeing has left me scratching my head
> about how GP works. What is happening is the client has recently set
> some new group policies that do things like specify which name servers
> and other network resources a given OU is to use. Now, when these
> laptops are taken on the road and the user tries to get Internet  
> access,
> it fails. Why? Because the GPO settings are overriding the DHCP  
> settings
> on 'this computer'.
>
> What I don't understand is why DOMAIN OU GPOs are being applied  
> outside
> the scope of the domain. If you are not logging into the domain, why  
> are
> the domain GPOs in effect? This doesn't make sense. Has my client
> somehow misconfigured AD?
>
> THANKS!
>
> Jon Kibler
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-224-2494
> s: 843-564-4224
> http://www.linkedin.com/in/jonrkibler
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkkYmJAACgkQUVxQRc85QlOMSwCeP5JEFlf/yrl4uwh6Cbl7AFnm
> ZaoAnRRW4d0eFTlMRAQIH6mJR/JpHL3x
> =t05p
> -----END PGP SIGNATURE-----
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.

The information contained in this e-Mail and any subsequent correspondence is private and is intended solely for the 
intended recipient(s). The information in this communication may be confidential and/or legally privileged. Nothing in 
this e-mail is intended to conclude a contract on behalf of Logically Secure Ltd or make Logically Secure Ltd subject 
to any other legally binding commitments, unless the e-mail contains an express statement to the contrary or 
incorporates a formal Purchase Order.  For persons other than the intended recipient any disclosure, copying, 
distribution, or any action taken or omitted to be taken in reliance on such information is prohibited and may be 
unlawful.

Registered in England and Wales No: 05967368.  Registered Office: 36 Tudor Road, Lincoln, LN6 3LL.