Force Periodic Authentication

---

• From: "Thomas M." <NoEmailReplies@xxxxxxxxxx>
• Date: Mon, 10 Mar 2008 11:18:03 -0600

---

XP SP2
Exchange 2007

We have a GPO that utilizes the Restricted Groups policy to push down the
contents of the local Administrators group. Upper management wanted us to
provide a way for users to temporarily elevate their own rights so that
employees working evenings or weekends on critical problems can make
themselves administrators in the event that they need to upgrade software,
install patches, etc. So we came up with a web form that employees can use
to add themselves to a domain security group that gets pushed down with the
group policy. Employees can choose durations of 2 hours, 1 day, 3 days, 1
week, 2 weeks, and 1 month (to cover everything from simple software
installs to length testing projects). The process will also automatically
expire the elevated rights after the given time frame, or an administrator
can revoke the rights manually if the time frame requested was excessive
(i.e. 1 month requested for a simple software install). This is all setup
with auditing and employees who abuse the process will lose the permissions
to use the web form.

It all works pretty well, but there is one question that has come up. Say
an employee requests elevated rights for a week to do some testing. After
one week the process will remove the user account from the domain security
group that gives them admin rights on the local PC. Eventually, even
without a reboot, the group policy will refresh on the local PC. But if
that employee does not reboot wouldn't the admin rights remain intact
regardless of whether or not the group policy has been refreshed? If so, is
there a way to force a periodic re-authentication--say once a day--to catch
those employees who would try to get around the system by requesting admin
rights and then staying logged on forever?

Any help you can provide will be greatly appreciated.

--Tom


.

---

• Follow-Ups:
  • Re: Force Periodic Authentication
    • From: Bruce Sanderson

• Prev by Date: Cross domain user policy
• Next by Date: Re: Network path
• Previous by thread: Cross domain user policy
• Next by thread: Re: Force Periodic Authentication
• Index(es):
  • Date
  • Thread

---

Relevant Pages Local Group Recursion, Creation, and GP ... I have hundreds of embedded systems spread across a college campus. ... administer them largely by Group Policy. ... requireing Admin rights for their software to run. ... We made both of these members of Administrators (so they could run the ... (microsoft.public.windows.group_policy) Re: can built-in user rights be changed? ... Domain and any OU group policy applied ... to a machine will override local policy settings. ... > What defines the rights given to a built-in user account, ... > Administrators and Domain Users both log in under the 'Default Domain ... (microsoft.public.win2000.security) Group Policy changes have locked all accounts from admin tasks ... permissions and rights for the User in that policy. ... The problem is that the Group Policy somehow got assigned to all of the ... users in the Active Directory, including the domain/system administrators. ... (microsoft.public.win2000.active_directory) Re: user and administrator policies ... All you really need to do is give "administrators" deny for apply. ... Be sure to install Group Policy Management Console on your domain controller ... FYI Windows 2003 and XP Pro can use Software Restriction Policies managed ... > administrators mchs\administrators deny group policy ... (microsoft.public.win2000.security) Re: Lack Sufficient Administrator Privileges ... > Can you open Group Policy editor as in gpedit.msc and if so did you make the ... When you run the command net localgroup administrators ... > root/drive folder, the program files folder, the \Windows folder, the ... >> trying to install Quicktime, ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)