Re: W2k users, local admin rights and GPOs

["Exibar" <exibar () thelair com>]

It's actually very easy to prevent any policies from coming down to your
system if you have local admin rights.  What you do is first, delete the
policies from the registry, then deny everyone (except for a locally created
user) access to the policy key.  You'll see the failures in the event log
when a new policy attempts to get written.  Viola!  no more policies....

  Easy as pie....

  Exibar


----- Original Message ----- 
From: "James Exim" <security () exim dyndns org>
To: <full-disclosure () lists netsys com>
Sent: Wednesday, October 29, 2003 3:50 AM
Subject: [Full-disclosure] W2k users, local admin rights and GPOs


> It has been pointed out several times recently on the SF mailing lists
that
> a W2k user with local administrator rights can prevent group policy
> application on his/her machine and there is apparently nothing the domain
> administrator(s) can do about it (see
http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ms/2003-09/0106.html
> for an example)
>
> Does anyone know exactly (a) how, and (b) why this is possible?  Is there
> really no workaround other than removing the users from the local
> Administrators group?  I keep discovering W2k machines where end users
have
> been granted local admin rights (yuk!) and I'm trying to convince the
> relevant domain admins that, while this is an easy way to make legacy
> software work, it isn't such a great idea from a security point of view...
>
> Thanks,
>
> James
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html