XP/2000 group policy access controls

A previous collegue who handled windows XP/2000 security at our location has now left. He used three batch files as admin which control the permissions on registry.pol in the user and machine sub directories of group policy, and also the gpt.ini file. These batch files altered the permissions on these files (enabling/disabling the group permissions settings I believe), the third allowed editing of the group policy, but only while it was open. All made use of cacls to contol the permissions. Has anyone heard of a scheme like this, and could either write or direct me to an explanation of how it works and how to implement it. Also, does this method provide any real security advantages over the standard windows setup.

Many thanks.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

See these documents:

"Recovering a Customer from an Active Directory 'Denial of Service'" http://www.microsoft.com/technet/archive/community/columns/security/askus/auasadds.mspx

"Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available" http://support.microsoft.com/default.aspx?scid=kb;en-us;320454

"Support WebCast: Microsoft Baseline Security Analyzer Version 1.1" http://support.microsoft.com/default.aspx?scid=kb;en-us;812920

As you can see from the first article, regular permissions on the group policy templates could allow a compromised account to cause a lot of damage.

The batch files your colleague used would simply automate the relaxing and restoring of strong NTFS DACL permissions on the vital files.

In normal operation the files would be read-only to everyone including Administrators.

When a change is to be made the relevant batch file would be run to temporarily provide Full Control to the policy template, automatically launch the Group Policy Editor, and once it had been closed restore the Read-Only state of the templates.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
if you can provide content of batch file and we can find out it is secure or not..

NOTE: while posting it here.. make sure to change the "user-id" and other sensitive info into generic...
I think thats a bit of work for you; part of the job!

Take a look at "Undocumented CACLS: Group Permissions Capabilities"


"How to Use CACLS.EXE in a Batch File"

fennyrulesAuthor Commented:
Thanks guys! Now I know it's worthwhile I can just go through them myself.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.