Re: Spying in a corporate environment

"> Like I said before: they log into the local machine instead of logging
into the domain. Voil, no domain policies applied."

This is absolutely not true and displays a fundamental misunderstanding of group policy application. As long as the workstation in question is in a site/domain/OU with computer targetted GPO settings linked to it, these GPOs will apply to the machine regardless of how a user logs in.

For example, I've created a Windows Firewall GPO that propagates restrictive Windows firewall settings to clients. This is a computer targetted GPO that is applied to security groups composed of workstation accounts. When a user (including local administrator) logs in locally to one of the workstations specified in the GPO's filtering, the policy is applied and local administrator is unable to modify any Windows firewall settings (their only recourse would be to remove the workstation from the domain).

Please try this- log in as local administrator to a workstation as specified above, and run gpresult or rsop and view the results.


On Thu, 22 Nov 2007, Ansgar -59cobalt- Wiechers wrote:

On 2007-11-22 Mario DeBono wrote:
On 22 November 2007 16:48 Ansgar -59cobalt- Wiechers wrote:
On 2007-11-22 Mario DeBono wrote:
If you have a 2003 domain enforce group policies and restrict access
to certain windows components. I presume even if a user has admin
rights on a pc, he should not be able to over right the group
policies, if he is not so keen to remove the policies from the pc
himself.

You're mistaken. A local admin can override policies (at the very
least for a short while until they are reapplied), and even if that
wasn't possible (s)he can always log on locally, in which case domain
policies don't apply at all. The only way to control users with local
admin privileges is to revoke their local admin privileges.
Everything else are futile efforts.

Yep, could be possible, but if you apply the policies on a pc level
not user level, than that is some thing different.

No, that doesn't make any difference at all. As long as a local admin is
a local admin he can acquire any right/privilege whatsoever on that
machine and can thus override any setting that may have been applied
through other means. That is what makes a local admin.

Another way is to apply frequent policy updates depending on the
lan/wan you administer. This can be done through login as well.

Like I said before: they log into the local machine instead of logging
into the domain. Voilą, no domain policies applied.

OR but I highly don't suggest to do is to

Amend files at local security level removing access to local
administrators and grant only access to domain admins but you have to
be sure of what u are doing else you might end making a mess.

That too doesn't make any difference at all. To repeat myself: a local
administrator can acquire each and every privilege on the local machine.
In your example all he has to do is take ownership and grant himself
access permissions.

If you revoke that privilege from a local admin, you actually demoted
him from being a local admin. Which - like I said before - is the only
way to restrict local admins: demote them from being local admins.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Relevant Pages

  • Re: Must all users be administrators?
    ... Correct me if I am wrong, but GROUP POLICIES override this (local admin can ... I have one workstation that has a user as Administrator and I ... install/add/remove anything, they can't save to desktop, can't change screen ...
    (microsoft.public.windows.server.sbs)
  • Re: Preventing Users from removing their PC from the Domain
    ... It is the machine local admin that controls disposition of the machine ... valid domain credentials were or were not provided so that the ... account, but you will notice the object displayed with the round red x ... if you are logged on as a local administrator. ...
    (microsoft.public.win2000.security)
  • Re: SBS 2003 Premium, user changes password and loses network share access
    ... If no local admin account, log on as a domain admin. ... profile that has local admin permissions on the workstation. ... Merv Porter [SBS-MVP] ...
    (microsoft.public.windows.server.sbs)
  • Re: Preventing Users from removing their PC from the Domain
    ... I did find the user in the local admin group. ... you are logged on as a local administrator. ... account or a local account. ... Group Policy can be used to hide or remove access to ...
    (microsoft.public.win2000.security)
  • RE: Automating Local Computer Admin Rights
    ... members of the administrators group on the local machine. ... become a local admin of all PC's under the OU. ... section it has "This group is a member of:" and there is nothing in there.. ...
    (microsoft.public.windows.server.active_directory)
Loading