?
Solved

Why is gpedit wide open to XP power users?

Posted on 2011-05-03
11
Medium Priority
?
733 Views
Last Modified: 2012-05-11
Some of our Windows XP workstations have security set so local Power User accounts can run gpedit.msc. All the information I can find says that gpedit is only available to Administrator accounts. Can't find any differences in local group policy settings. In fact I have copied the GroupPolicy folders from another workstation that correctly denies access to Power Users but it didn't make any difference. Is there a registry setting that controls this?
0
Comment
Question by:ru-rd
9 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 35688688
They can delete most of files in %WINDIR% anyway, why should you care about GPOs
0
 
LVL 37

Expert Comment

by:bbao
ID: 35689220
> They can delete most of files in %WINDIR% anyway, why should you care about GPOs

LOL, good point. hence the group name, Power Users are powerful, by design.
0
 
LVL 62

Accepted Solution

by:
gheist earned 1000 total points
ID: 35689419
Simply the system is designed this way.
For example in NT4 and initial w2000 normal users were allowed to use date/time commands to change system time at will.
And even without access to gpedit every user will be able to launch mmc.exe and add gpedit modules. There is no effect of GPOs to MMC.exe
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:ru-rd
ID: 35723238
We have 15 Windows XP workstations that are all setup the same and joined as members of a Windows 2003 Domain. Users also have memberships in this domain but log onto their workstations with local user accounts. They can access the network resources based on their domain group membership. Most, but not all of these workstations were originally set up with W2K pro and later upgraded to XP pro. Local user accounts were given Power User membership so that some legacy apps would continue to run that wouldn't otherwise.
Recently I have been working on setting up logon/logoff scripts and as I was testing these discovered that on 5 of the 15 XP workstations Power users can run Gpedit.msc and on the other 10 they can not. Local User and Power User accounts get the message "You do not have permission to perform this operation." The same message appears if they run MMC and try to add Group Policy Object Editor as a snap-in on the local computer. Upon further testing I have found that ordinary User accounts can open gpedit.msc on these 5 workstations also.
My concern is that some security settings must have changed to elevate the User & Power User permissions and I don't know what other security restrictions or access rights may have changed.
What could cause this besides group policy? Has anyone else seen these kinds of problems? Is there a way to reset the default access rights for Users and Power Users on Windows XP Pro?
0
 
LVL 62

Expert Comment

by:gheist
ID: 35724562
Local users can override ANY gpo setting by using .reg files.
If you join computer to domain it gets only computer settings which minimally interfere with local power users.
0
 
LVL 2

Assisted Solution

by:__ST
__ST earned 1000 total points
ID: 35725837
A clever user with Power User rights can do just about anything they want with a local PC, so I'm not sure how much time you would want to spend on this.  Even if you explicitly block running things like MMC a power user can use net user / net localgroup to create a local administrator account that they could use to elevate their permissions and bypass any security you lay down.  Trying to lock them down too much on a workstation risks breaking your legacy apps, so you're pretty much stuck with letting them have free reign of the endpoint.

If it's of vital concern, you could script a permissions/ownership change on the specific snap-in files using something like subinacl/xcacls, but keep in mind that it would not hinder someone persistent with a bit of technical knowledge.

Focus more on domain security and locking down the shares and you should be fine.  Ditch the legacy apps whenever possible and eventually you will have more control.
0
 

Author Comment

by:ru-rd
ID: 35829370
I've requested that this question be deleted for the following reason:

Comments like, &quot;this is normal&quot;, or &quot;why should you care?&quot;, are not solutions. And I don't have &quot;clever users&quot; that are intentionally trying to circumvent basic security settings. <br />Since our workstations are scheduled to be upgraded to Windows 7 soon their is no point in trying to pursue this issue. Thank you all &nbsp;for taking the time to post a reply. I am sorry that I cannot issue any points.
0
 
LVL 62

Expert Comment

by:gheist
ID: 35829371
This is documenting the part missing in microsofts site.
You cannot disable mmc.exe or regedit.exe opening .reg files from command line.
0
 
LVL 62

Expert Comment

by:gheist
ID: 35848528
http:#35725837
http:#35689419

explains the sorry state of things.
https://www.microsoft.com/downloads/en/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb is the place where power users can find which registry setting to change to undo group policy.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question