Educause Security Discussion mailing list archives

Re: Group Policy enforced on desktop

From: Michael Schalip <mschalip () CNM EDU>
Date: Sat, 3 Apr 2010 21:20:00 +0000

Would you be able to do something as early as next Friday?

Michael
Sent via BlackBerry from T-Mobile

-----Original Message-----
From: Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>
Date: Sat, 3 Apr 2010 11:51:40 
To: SECURITY () LISTSERV EDUCAUSE EDU<SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Group Policy enforced on desktop

Leigh-

So how are you determining that the setting is or isn't set? What I'd
suggest is running "gpresult /v > gpresults.txt" and looking at the
resulting text file. If you mail me the particular setting I can look up the
registry value that it sets. It's also possible that the setting was added
in a service pack for XP and your sample machine is running an older service
pack.

In general you shouldn't need to rebuild the GPO to change the setting. If
the issue is that the setting is set in the policy but not reflected
locally, I would ensure that a) gpresult indicates the GPO is applied (and
is effective) and b) GPOs are applying successfully (userenv warnings/errors
in the system log are indicative of a problem here). It's possible there's
something messed up with the actual policy object but that is likely
fixable.

--brian

Thanks,
Brian Desmond
brian.desmond () morantechnology com

w - 312.625.1438 | c - 312.731.3132

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian

Group Policy Gurus,

I am auditing a desktop with MS Windows XP Pro operating system with a
nice group policy applied to the organizational unit. When reviewing the
computer, the group policy appears to enforce a Security Options setting
which is only found in XP, W2k, and W2k3. However, when I reviewed the
group policy the setting is not listed. The XP Pro default setting is
recommend by the CIS benchmark and NIST checklist, but the machine has a
weaker setting enforced which we cannot locally change because of AD.
Please contact me directly if you wish to know the setting.

Has anyone seen this before and have any explanation? I assume to
correct the group policy will need to be rebuild from scratch. 

Thanks,
Leigh Cheek, CIA, CISA
Senior Auditor
Audit and Consulting Services
University of Tennessee
149 Conference Center Building
Knoxville, TN 37996-4114
(865) 974-4420
fax (865) 974-6171
lcheek () utk edu

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Current thread:

Re: Group Policy enforced on desktop Brian Desmond (Apr 03)
- <Possible follow-ups>
- Re: Group Policy enforced on desktop Dexter Caldwell (Apr 03)
- Re: Group Policy enforced on desktop Michael Schalip (Apr 03)