XP/2000 group policy access controls

Posted on 2004-11-21
Last Modified: 2013-12-04
A previous collegue who handled windows XP/2000 security at our location has now left. He used three batch files as admin which control the permissions on registry.pol in the user and machine sub directories of group policy, and also the gpt.ini file. These batch files altered the permissions on these files (enabling/disabling the group permissions settings I believe), the third allowed editing of the group policy, but only while it was open. All made use of cacls to contol the permissions. Has anyone heard of a scheme like this, and could either write or direct me to an explanation of how it works and how to implement it. Also, does this method provide any real security advantages over the standard windows setup.

Many thanks.
Question by:fennyrules
    LVL 5

    Accepted Solution

    See these documents:

    "Recovering a Customer from an Active Directory 'Denial of Service'"

    "Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available";en-us;320454

    "Support WebCast: Microsoft Baseline Security Analyzer Version 1.1";en-us;812920

    As you can see from the first article, regular permissions on the group policy templates could allow a compromised account to cause a lot of damage.

    The batch files your colleague used would simply automate the relaxing and restoring of strong NTFS DACL permissions on the vital files.

    In normal operation the files would be read-only to everyone including Administrators.

    When a change is to be made the relevant batch file would be run to temporarily provide Full Control to the policy template, automatically launch the Group Policy Editor, and once it had been closed restore the Read-Only state of the templates.
    LVL 6

    Expert Comment

    if you can provide content of batch file and we can find out it is secure or not..

    NOTE: while posting it here.. make sure to change the "user-id" and other sensitive info into generic...
    LVL 5

    Expert Comment

    I think thats a bit of work for you; part of the job!

    Take a look at "Undocumented CACLS: Group Permissions Capabilities";en-us;162786

    "How to Use CACLS.EXE in a Batch File";en-us;162786
    LVL 1

    Author Comment

    Thanks guys! Now I know it's worthwhile I can just go through them myself.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now