Group membership / Kerberos tickets

From: Zack Schiel (ZSchiel_at_blueandco.com)
Date: 04/28/05

  • Next message: Laura A. Robinson: "RE: Group membership / Kerberos tickets"
    Date: Thu, 28 Apr 2005 09:51:58 -0500
    To: <focus-ms@securityfocus.com>
    
    

    I'm hoping that someone here can confirm this for me and possibly give a deeper explanation for the behavior that we're seeing.

    Essentially, we are in the process of creating a series of site GPOs; the default Authenticated Users permission remains, and we've also denied Read and Apply Group Policy to a new group containing certain computers, mainly servers.  The problem that we're running into is that these servers don't appear in RSoP reports as members of the new security group (even though they have been for nearly 24 hours now), and thus they are receiving and applying these GPOs.  When the machines are rebooted, they correctly add the group to their list of security groups to which they belong, and the GPOs are denied. 

    The obvious solution is to reboot the servers before linking the GPO.  We would of course prefer to avoid rebooting dozens of servers, however. 

    I believe the reason this happens is that a machine receives its TGT at startup, and the TGT contains SIDs for groups to which the machine belongs.  This TGT is then simply renewed every X number of hours for several days, and thus the list of SIDs isn't updated until the ticket is actually reissued at restart.  Am I on the right track here?  Is there a relatively easy way to force a machine to reissue its TGT without rebooting or causing other issues? 

    Aside from our current predicament, this seems to be a bit of a security hole-machines can actively receive GPOs to which they have been denied access, long after they are denied that access. 

    Thanks,

    -Zack-

    ______________________
    Zack Schiel
    Network Support
    Blue & Co., LLC

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Laura A. Robinson: "RE: Group membership / Kerberos tickets"

    Relevant Pages

    • Re: GPO applying to W2K3 but not W2K
      ... Each of these servers resides in the parent domain. ... specifies the CHILDDOMAIN\Domain Users are 'Denied access to this computer ... from the network' but the GPO is only applying to the W2K3 servers. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Windows 2008 Network Level Authentication
      ... temporarily block inheritance on all domain-wide GPOs on the OU ... Terminals Servers, properly licensed and set up in a round-robin ... Using either the local GPO and Disabling the Network Level ... Authentication turned completely off, and remain so. ...
      (microsoft.public.windows.terminal_services)
    • Re: Terminal Server GPO Issue
      ... servers that is not in the OU where the GPO is supposed to be applied and I ... Microsoft Windows Operating System Group Policy Result tool v2.0 ... Sharepoint Auth GPO ... Event Log Settings ...
      (microsoft.public.windows.server.active_directory)
    • Re: GP/OU Problem/Question
      ... Create OU & GPO for the TS: ... Right click 'Terminal Servers' OU, ... Ensure that TestUser1 is a member of Domain Users & Remote Desktop ... Make the Security group member of RDU. ...
      (microsoft.public.windows.terminal_services)
    • Re: Loopback Policy Not Taking Effect
      ... Have you rebooted your servers yet? ... Terminal Servers in the OU ... loopback GPO to the "Terminal Servers" OU but to the OU that holds my TS ... ad TS Lockdown Policy and assigned them mostly Computer ...
      (microsoft.public.windows.terminal_services)