Re: Group Policy enforced on desktop

[Alex Keller <alkeller () SFSU EDU>]

hi Leigh et al,

i am little confused about the specifics of which settings appear to be
in conflict, but assuming you have already reviewed the output of
"gpresult" and ruled out the way the GPOs are being applied (via the GPO
modeling wizard), then I would be looking at if the user profile
(ntuser.dat) and/or registry has been "tattooed" with a specific
setting. back when i was running a XP computer lab, we would
occasionally encounter scenarios where a GPO setting gets "stuck" in the
local profile, such that reversing it (not configured or disabled) in
the GPO doesn't have any effect. refreshing ntuser.dat or ferreting out
the specific reg entry would clear the issue.

good luck,
alex  <--not a "Group Policy Guru" :)

--
Alex Keller
Systems Administrator
Academic Technology, San Francisco State University
Office: Burk Hall 153 Phone: (415)338-6117 Email: alkeller () sfsu edu



On 3/29/2010 1:44 PM, Cheek, Leigh wrote:
> Group Policy Gurus,
>
> I am auditing a desktop with MS Windows XP Pro operating system with a
> nice group policy applied to the organizational unit. When reviewing the
> computer, the group policy appears to enforce a Security Options setting
> which is only found in XP, W2k, and W2k3. However, when I reviewed the
> group policy the setting is not listed. The XP Pro default setting is
> recommend by the CIS benchmark and NIST checklist, but the machine has a
> weaker setting enforced which we cannot locally change because of AD.
> Please contact me directly if you wish to know the setting.
>
> Has anyone seen this before and have any explanation? I assume to
> correct the group policy will need to be rebuild from scratch.
>
>
> Thanks,
> Leigh Cheek, CIA, CISA
> Senior Auditor
> Audit and Consulting Services
> University of Tennessee
> 149 Conference Center Building
> Knoxville, TN 37996-4114
> (865) 974-4420
> fax (865) 974-6171
> lcheek () utk edu