Secured GPO

I need to implement highly secured GPOs

My problem is in the users that are members in the local administrator group of some machines, they can edit the registry of this machine and overwrite the registry keys that the GPO modify and also change the permissions over these keys so as the GPO will not applied any more.

Also they change the permissions of the keys responsible to refresh the GPO so any applied GPO will not refresh on them even a changes in the GPO itself will happened it didnt refresh

I need the GPOs to refresh on all users including these local admins and also to overwrite the keys they changed even if they change the permissions of the keys
helmy1313Asked:
Who is Participating?
 
MSGeekConnect With a Mentor Commented:
The only way to overwerite the registry changes is to push the correction out through a logon script, it cannot be done as a scheduled event without their having control over it.   As far as policies following their profiles, that is not how policies work.  Policies are user and computer specific and not profile specific.  Having said that it sounds lik they have made this registry modification to a number of machines.

It is a tremendous security problem having any user be a member of the local administrators group.  I will not tolerate it, it allows them full access to their computer and the computers in their subnet.  They can access administrative shares on other workstations as well as the registry on those workstations.

While management may deem it necessary for these individuals to have such authority over their local workstation in order to do their job they need to be made aware of the risks this poses to the organization as a whole.  Not only can these cowboys do what I mentioned, but if they get hit with a virus or trojan it will have the same rights.

IMHO I would revoke the cowboy's permissions until he/she abides by your companies Acceptable Use Policy.  The computer is not theirs to do whatever they wish, it belongs to the company.  It is for work use only and if these modification are against the companies AUP you need to enforce it.

Having said all that, your bigger issue is the security threat posed by having users logon as administrators.  I do not even logon to my own computers as the administrator unless I absolutely have to.  When I do I only use known web sites and I do not access any e-mail or unknown media.
0
 
MSGeekCommented:
I think you have already answeed your own question.  Your question shows a torough knowledge of policies and how they are applied, as well as how thye might be circumvented.  BTW, as an administrator there are other ways to circumvent policies.

You cannot implement policeis on local Administrators and expect them not to be able to bypass your settings.  Why are these untrusted individuals in the Admin group anyway.

The only thing I can think of is to write a script that would notify me that the registry entry has been changed or that the rights to the group policy folder has been changed.  There are just to many holes to accomplish this when they are logged in as admins.  Make them members of the local users group.
0
 
helmy1313Author Commented:
If they log on with the local Administrator, it doesnt matter for me as there is no policy can be applied on him, but they log on with their domain user that is a member of the local Administrators Group, this user is a domain user and the policies must be applied on him even if he is an administrator or not. I need a way to refresh the policy on them even if he changed the registry key permissions of this policy
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
MSGeekCommented:
It is not possible.
0
 
helmy1313Author Commented:
So what is the solution to control these kind of administrators so as they cant overcome the policy? even if the did it, the GPO can be refresh and slap him on his face each certain period of time
0
 
MSGeekCommented:
A refresh is only valid if the administrator has not modified his read write to the Group Policy folder.  Policies do not rely on a registry setting alone.  policies and how they are implemented have changed since the Win9x and NT days of the .pol file.

What are you trying to prevent access to?
0
 
helmy1313Author Commented:
Look here are the whole issue:

- Some domain users (not many)are members of the local Administrator group on their own machines so as to do some tasks like: Add/Remove Prog, Start/Stop Servicies, open and use Computer Management, run certain applications,.... . Unfortunately the GPO desnt give us the POWER to give these users ONLY the function the need, it only open the GATE for them then you must make them members in the local administrator so as to do their job. to overcome this we restrict the registry tools for these users.
- But some of them have access to the registry tools, these users ALREADY changed the registry keys permissions that are responsible for applying both the Wallpaper and Screen Saver GPOs (as an example) also they changed the keys responsible for refreshing the GPO itself. note that the wallpaper and screen saver are not applied on them on ANY machine they log on to, it seems that they change something in their roaming profile that overcome the GPO settings!!!
- All what we need is to apply and refresh the GPOs we applied on all users included these domain (local admin) users even if they modify any registry key, it must be overwritted by the GPO every 90 min (every refresh)
0
 
CleanupPingCommented:
helmy1313:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
MSGeekCommented:
I would object to a refund or delete of this question.  MSGeek
0
 
helmy1313Author Commented:
Please delete this question, I have no answer
0
 
helmy1313Author Commented:
please delete this question
0
All Courses

From novice to tech pro — start learning today.