RE: Users "bypassing" Group Policy restrictions
From: Edward VanDewars (gt4200b_at_yahoo.com)
Date: 01/29/05
- Previous message: Ivan Carlos: "Re: Preventing multiple logins in 2003"
- Maybe in reply to: Edward VanDewars: "Users "bypassing" Group Policy restrictions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 Jan 2005 07:29:46 -0800 (PST) To: focus-ms@securityfocus.com, "Ghetti, Tim" <tghetti@air-worldwide.com>
Tim - This should be EXACTLY what I need to solve the
problem, thank you very much for the suggestion.
In response to all the suggestions indicating it is a
managerial/administrative/HR problem - thank you all,
I completely agree with you. However, I failed to
mention originally that our environment is actually a
school and these users are students. Obviously this
brings with it a unique set of challenges (and
probably explains why they even thought to unplug the
ethernet cable in the first place).
In response to Matthew (who suggested it is indicative
of a larger issue): in this case I have had a few
users/students who made me aware of the situation as
sort of a "heads-up" and we were able to discuss and
remedy it (they wanted to run Firefox which is not
currently installed because of its lack of a strong
central administrative functionality, I enabled it for
those responsible users/students and publicly
committed to making it available in the future). My
concern and motivation behind asking the original
question was how many "unknown" users/students were
also doing this with not-so-innocent programs.
Nobody has local admin rights and I used NTFS
permissions to restrict command prompt access, so that
mitigates things somewhat. My concern is that without
the Software Restrictions Policies users were able to
run any program that didn't require an installer.
I had not tried copying the GP Software Restriction
Policies to a local policy, as I could not find
documentation on which would take precedence if/when I
needed to change something in the GPO policy.
Thanks again to everyone.
--- "Ghetti, Tim" <tghetti@air-worldwide.com> wrote:
> Windows XP shortened the logon time by allowing
> users to put in their
> credentials before all network connections and group
> policies are
> processed. There is an option to revert back to the
> 2K days when you
> have to wait until GP's are processed first.
>
> Under computer configuration/logon --> Always wait
> for the network at
> computer startup and logon.
>
> It will increase logon time a little bit, but if you
> really want to
> enforce policies, this is the way to go.
> BTW, you can also force a policy refresh every X
> minutes if you suspect
> your users are savvy enough to change policies via
> the registry
>
> Computer configuration --> Administrative Templates
> --> System --> Group
> Policy
>
> Good Luck!
__________________________________
Do you Yahoo!?
Yahoo! Mail - 250MB free storage. Do more. Manage less.
http://info.mail.yahoo.com/mail_250
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Ivan Carlos: "Re: Preventing multiple logins in 2003"
- Maybe in reply to: Edward VanDewars: "Users "bypassing" Group Policy restrictions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
