RE: RESPONSE: Users "bypassing" Group Policy restrictions

From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 01/28/05

Next message: Laura A. Robinson: "RE: Users "bypassing" Group Policy restrictions"

Previous message: Martin Mewes: "Re: Preventing multiple logins in 2003"
In reply to: Gerson Ricardo: "RESPONSE: Users "bypassing" Group Policy restrictions"
Next in thread: Miroslaw Slawek Chorazy: "RE: RESPONSE: Users "bypassing" Group Policy restrictions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Gerson Ricardo'" <gricardo@gableseng.com>, "'Edward VanDewars'" <gt4200b@yahoo.com>, <focus-ms@securityfocus.com>, "'Zamora, Robert'" <Zamora@gableseng.com>
Date: Thu, 27 Jan 2005 20:10:08 -0500

Inline...

> -----Original Message-----
> From: Gerson Ricardo [mailto:gricardo@gableseng.com]
> Sent: Thursday, January 27, 2005 5:00 PM
> To: Edward VanDewars; focus-ms@securityfocus.com; Zamora, Robert
> Subject: RESPONSE: Users "bypassing" Group Policy restrictions
>
>
> Edward,
>
> Talk about circumventing! You indeed have creative users in
> your midst, to say the least. The answer lies with setting
> local policies to match your domain level AD GPOs - and if
> any user has local admin privileges for whatever reason,
> simply exclusively allow domain access to the
> %systemroot%\system32\GroupPolicy directory, followed by an
> exclusive 'deny'
> disallowing and local user account, including local
> administrators, access to modify local computer policy.
>
> Problem should be solved - all without the use of super glue :)

'fraid not. Local administrators can take ownership of any file, and any
registry key. The owner of a file/reg key can change its permissions.
Always. No matter what.

This, of course, is one of a bazillion reasons not to let users have local
admin privileges on their machines. :-)

Laura

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Laura A. Robinson: "RE: Users "bypassing" Group Policy restrictions"

Previous message: Martin Mewes: "Re: Preventing multiple logins in 2003"
In reply to: Gerson Ricardo: "RESPONSE: Users "bypassing" Group Policy restrictions"
Next in thread: Miroslaw Slawek Chorazy: "RE: RESPONSE: Users "bypassing" Group Policy restrictions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Power Policy Manager
... I assume this is for Local Machines logged onto a Domain environment where ... Locate and click the following registry key: ... Making these changes will allow normal users to alter power scheme settings ... without being added to the Local Administrators group. ...
(microsoft.public.win2000.security)
RE: XP. Rigts to change power schema
... Make them local administrators for thier machines or use the steps below... ... Locate and click the following registry key: ... On the Security menu, click Permissions. ... user individually or add the Users group to this local security policy. ...
(microsoft.public.windowsxp.security_admin)