?
Solved

Secured GPO

Posted on 2003-03-24
13
Medium Priority
?
294 Views
Last Modified: 2013-12-04
I need to implement highly secured GPOs

My problem is in the users that are members in the local administrator group of some machines, they can edit the registry of this machine and overwrite the registry keys that the GPO modify and also change the permissions over these keys so as the GPO will not applied any more.

Also they change the permissions of the keys responsible to refresh the GPO so any applied GPO will not refresh on them even a changes in the GPO itself will happened it didnt refresh

I need the GPOs to refresh on all users including these local admins and also to overwrite the keys they changed even if they change the permissions of the keys
0
Comment
Question by:helmy1313
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
13 Comments
 
LVL 9

Expert Comment

by:MSGeek
ID: 8197513
I think you have already answeed your own question.  Your question shows a torough knowledge of policies and how they are applied, as well as how thye might be circumvented.  BTW, as an administrator there are other ways to circumvent policies.

You cannot implement policeis on local Administrators and expect them not to be able to bypass your settings.  Why are these untrusted individuals in the Admin group anyway.

The only thing I can think of is to write a script that would notify me that the registry entry has been changed or that the rights to the group policy folder has been changed.  There are just to many holes to accomplish this when they are logged in as admins.  Make them members of the local users group.
0
 

Author Comment

by:helmy1313
ID: 8200957
If they log on with the local Administrator, it doesnt matter for me as there is no policy can be applied on him, but they log on with their domain user that is a member of the local Administrators Group, this user is a domain user and the policies must be applied on him even if he is an administrator or not. I need a way to refresh the policy on them even if he changed the registry key permissions of this policy
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8202315
It is not possible.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 

Author Comment

by:helmy1313
ID: 8202821
So what is the solution to control these kind of administrators so as they cant overcome the policy? even if the did it, the GPO can be refresh and slap him on his face each certain period of time
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8202858
A refresh is only valid if the administrator has not modified his read write to the Group Policy folder.  Policies do not rely on a registry setting alone.  policies and how they are implemented have changed since the Win9x and NT days of the .pol file.

What are you trying to prevent access to?
0
 

Author Comment

by:helmy1313
ID: 8203563
Look here are the whole issue:

- Some domain users (not many)are members of the local Administrator group on their own machines so as to do some tasks like: Add/Remove Prog, Start/Stop Servicies, open and use Computer Management, run certain applications,.... . Unfortunately the GPO desnt give us the POWER to give these users ONLY the function the need, it only open the GATE for them then you must make them members in the local administrator so as to do their job. to overcome this we restrict the registry tools for these users.
- But some of them have access to the registry tools, these users ALREADY changed the registry keys permissions that are responsible for applying both the Wallpaper and Screen Saver GPOs (as an example) also they changed the keys responsible for refreshing the GPO itself. note that the wallpaper and screen saver are not applied on them on ANY machine they log on to, it seems that they change something in their roaming profile that overcome the GPO settings!!!
- All what we need is to apply and refresh the GPOs we applied on all users included these domain (local admin) users even if they modify any registry key, it must be overwritted by the GPO every 90 min (every refresh)
0
 
LVL 9

Accepted Solution

by:
MSGeek earned 200 total points
ID: 8203825
The only way to overwerite the registry changes is to push the correction out through a logon script, it cannot be done as a scheduled event without their having control over it.   As far as policies following their profiles, that is not how policies work.  Policies are user and computer specific and not profile specific.  Having said that it sounds lik they have made this registry modification to a number of machines.

It is a tremendous security problem having any user be a member of the local administrators group.  I will not tolerate it, it allows them full access to their computer and the computers in their subnet.  They can access administrative shares on other workstations as well as the registry on those workstations.

While management may deem it necessary for these individuals to have such authority over their local workstation in order to do their job they need to be made aware of the risks this poses to the organization as a whole.  Not only can these cowboys do what I mentioned, but if they get hit with a virus or trojan it will have the same rights.

IMHO I would revoke the cowboy's permissions until he/she abides by your companies Acceptable Use Policy.  The computer is not theirs to do whatever they wish, it belongs to the company.  It is for work use only and if these modification are against the companies AUP you need to enforce it.

Having said all that, your bigger issue is the security threat posed by having users logon as administrators.  I do not even logon to my own computers as the administrator unless I absolutely have to.  When I do I only use known web sites and I do not access any e-mail or unknown media.
0
 

Expert Comment

by:CleanupPing
ID: 9070626
helmy1313:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 9073350
I would object to a refund or delete of this question.  MSGeek
0
 

Author Comment

by:helmy1313
ID: 9077962
Please delete this question, I have no answer
0
 

Author Comment

by:helmy1313
ID: 9077996
please delete this question
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses
Course of the Month11 days, 8 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question