Educause Security Discussion mailing list archives

Re: Group Policy enforced on desktop

From: Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>
Date: Sat, 3 Apr 2010 19:51:40 +0200

Leigh-

So how are you determining that the setting is or isn't set? What I'd
suggest is running "gpresult /v > gpresults.txt" and looking at the
resulting text file. If you mail me the particular setting I can look up the
registry value that it sets. It's also possible that the setting was added
in a service pack for XP and your sample machine is running an older service
pack.

In general you shouldn't need to rebuild the GPO to change the setting. If
the issue is that the setting is set in the policy but not reflected
locally, I would ensure that a) gpresult indicates the GPO is applied (and
is effective) and b) GPOs are applying successfully (userenv warnings/errors
in the system log are indicative of a problem here). It's possible there's
something messed up with the actual policy object but that is likely
fixable.

--brian


Thanks,
Brian Desmond
brian.desmond () morantechnology com

w - 312.625.1438 | c - 312.731.3132

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian


Group Policy Gurus,

I am auditing a desktop with MS Windows XP Pro operating system with a
nice group policy applied to the organizational unit. When reviewing the
computer, the group policy appears to enforce a Security Options setting
which is only found in XP, W2k, and W2k3. However, when I reviewed the
group policy the setting is not listed. The XP Pro default setting is
recommend by the CIS benchmark and NIST checklist, but the machine has a
weaker setting enforced which we cannot locally change because of AD.
Please contact me directly if you wish to know the setting.

Has anyone seen this before and have any explanation? I assume to
correct the group policy will need to be rebuild from scratch.


Thanks,
Leigh Cheek, CIA, CISA
Senior Auditor
Audit and Consulting Services
University of Tennessee
149 Conference Center Building
Knoxville, TN 37996-4114
(865) 974-4420
fax (865) 974-6171
lcheek () utk edu

Current thread:

Re: Group Policy enforced on desktop Brian Desmond (Apr 03)
- <Possible follow-ups>
- Re: Group Policy enforced on desktop Dexter Caldwell (Apr 03)
- Re: Group Policy enforced on desktop Michael Schalip (Apr 03)