[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] W2k users, local admin rights and GPOs
- To: "James Exim" <security@exim.dyndns.org>, <full-disclosure@lists.netsys.com>
- Subject: RE: [Full-Disclosure] W2k users, local admin rights and GPOs
- From: "Sergey V. Gordeychik" <gordey@infosec.ru>
- Date: Wed, 29 Oct 2003 17:32:38 +0300
-----Original Message-----
From: James Exim [mailto:security@exim.dyndns.org]
Sent: Wednesday, October 29, 2003 11:51 AM
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] W2k users, local admin rights and GPOs
>It has been pointed out several times recently on the SF mailing lists
that
>a W2k user with local administrator rights can prevent group policy
So, Laura say, that they can.
When I ask - HOW, she point me to the Windows NT 5.0 beta 2 Group Policy
Guide (http://web.mit.edu/pismere/zaw/group-policy-white-paper.doc) and
HKLM\Software\Policies\Microsoft\Windows\System\DisableGPO parameter.
After some testing I found that DisableGPO have no effect. "Computer
Configutaion" part of policy still applied OK even DisableGPO=1 (so we
can overwrite it). Tested on W2K3 member server.
I think, that this and old solution that been replaced with "Group
Policy loopback" parameter.
But I can be wrong.
Administrators _can_ disable some settings by direct modification of
registry, but can't prevent can't prevent group policy application.
I hope...
>Is there really no workaround other than removing
>the users from the local Administrators group?
I'ts very-very good idea :-)
Sorry, my English is very bad.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html