Full Disclosure mailing list archives
W2k users, local admin rights and GPOs
From: "James Exim" <security () exim dyndns org>
Date: Wed, 29 Oct 2003 09:50:39 +0100
It has been pointed out several times recently on the SF mailing lists that a W2k user with local administrator rights can prevent group policy application on his/her machine and there is apparently nothing the domain administrator(s) can do about it (see http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ms/2003-09/0106.html for an example) Does anyone know exactly (a) how, and (b) why this is possible? Is there really no workaround other than removing the users from the local Administrators group? I keep discovering W2k machines where end users have been granted local admin rights (yuk!) and I'm trying to convince the relevant domain admins that, while this is an easy way to make legacy software work, it isn't such a great idea from a security point of view... Thanks, James _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- W2k users, local admin rights and GPOs James Exim (Oct 29)
- Re: W2k users, local admin rights and GPOs Exibar (Oct 29)
- Re: W2k users, local admin rights and GPOs yossarian (Oct 29)
- <Possible follow-ups>
- RE: W2k users, local admin rights and GPOs Sergey V. Gordeychik (Oct 29)
- RE: W2k users, local admin rights and GPOs Sergey V. Gordeychik (Oct 29)
- Re[2]: W2k users, local admin rights and GPOs 3APA3A (Oct 30)
- RE: W2k users, local admin rights and GPOs Sergey V. Gordeychik (Oct 30)
- Re: W2k users, local admin rights and GPOs Exibar (Oct 29)