Re: Force Periodic Authentication

A few things:
1. Group Policies get automatically refreshed every 90 minutes, plus or
minus 30 minutes - however, if you are implementing this capability by only
changing the membership of DOMAIN groups, GPO refresh on the client computer
is not relevant - changes to domain group membership require only
replication to all domain controllers
2. group membership is obtained each time a user logons on and is not
changed for the duration of the session (until the user logs off) - seems
you know this already - reboot is not required, just logoff
3. there are some settings that might be useful (in combination):

Computer Configuration
Windows Settings
Local Policies
Security Options
Interactive Logon: Require Domain Controller authentication to
unlock

User Configuration
Administrative Templates
Control Panel
Display
Password protect the screen saver
Screen saver timeout

I haven't personally exercised the first one (Require Domain Controller
authentication to unlock), but the Screen Saver ones do work. If you assign
these users a second user (adminstrative) user account and only add this one
to the Domain security group (per your second paragraph), you could change
the password, lock or disable this account when the time expires - then
presumably, "Domain Controller authentication" would fail when the user keys
credentials to unlock the computer. This, of course, assumes that the user
leaves the computer idle long enough for the Screen Saver to activate - you
could set the Screen saver timeout to a suitably short time (e.g. 10
minutes).

4. according to
http://technet2.microsoft.com/windowsserver/en/library/be413dbd-c47f-48a9-912d-d3d22c02eb2e1033.mspx?mfr=true,
local group membership set using Member Of in Restricted Groups are not
removed automatically when the GPO is changed or the computer falls out of
scope of the GPO. Experiments show that this is indeed the case for Windows
XP, but with Vista, this appears to be no longer the case - local group
membership gets updated when the GPO is changed or the computer falls out of
scope. However, again, if only DOMAIN group membership is adjusted (as
indicated in your second paragraph), this is not relevant.

Hope this helps - cheers!
--
Bruce Sanderson
http://members.shaw.ca/bsanders/
It's perfectly useless to know the right answer to the wrong question.


"Thomas M." <NoEmailReplies@xxxxxxxxxx> wrote in message
news:evKP0KtgIHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
XP SP2
Exchange 2007

We have a GPO that utilizes the Restricted Groups policy to push down the
contents of the local Administrators group. Upper management wanted us to
provide a way for users to temporarily elevate their own rights so that
employees working evenings or weekends on critical problems can make
themselves administrators in the event that they need to upgrade software,
install patches, etc. So we came up with a web form that employees can
use to add themselves to a domain security group that gets pushed down
with the group policy. Employees can choose durations of 2 hours, 1 day,
3 days, 1 week, 2 weeks, and 1 month (to cover everything from simple
software installs to length testing projects). The process will also
automatically expire the elevated rights after the given time frame, or an
administrator can revoke the rights manually if the time frame requested
was excessive (i.e. 1 month requested for a simple software install).
This is all setup with auditing and employees who abuse the process will
lose the permissions to use the web form.

It all works pretty well, but there is one question that has come up. Say
an employee requests elevated rights for a week to do some testing. After
one week the process will remove the user account from the domain security
group that gives them admin rights on the local PC. Eventually, even
without a reboot, the group policy will refresh on the local PC. But if
that employee does not reboot wouldn't the admin rights remain intact
regardless of whether or not the group policy has been refreshed? If so,
is there a way to force a periodic re-authentication--say once a day--to
catch those employees who would try to get around the system by requesting
admin rights and then staying logged on forever?

Any help you can provide will be greatly appreciated.

--Tom



.

Relevant Pages

  • Re: Force Periodic Authentication
    ... computer is not relevant - changes to domain group membership require only ... Password protect the screen saver ... that employees working evenings or weekends on critical problems can make ... will also automatically expire the elevated rights after the given time ...
    (microsoft.public.windows.group_policy)
  • Re: "Yet Another Florida Gun Friendly Law"
    ... I am a firm supporter of private property rights. ... # property for whatever reason they believe in, ... employers and employees, not to have a blanket prohibition against ...
    (rec.guns)
  • Re: Oakland Police Worried About Increased Vigilantism
    ... the trip to and from the facility etc., ... even by normal necessities of life to visit such a facility. ... property owners rights trump yours in these cases. ... To do otherwise would egregiously violate the employees rights ...
    (talk.politics.guns)
  • Re: "Yet Another Florida Gun Friendly Law"
    ... I am a firm supporter of private property rights. ... From my personal experience of having to give up my gun toting ... The Marines at the gate would confiscate any employees gun they ...
    (rec.guns)
  • Re: effective user rights
    ... I doubt it is a user rights issue but it may be an issue with permissions to ... folders/file, group membership, or possibly Group Policy. ... logged on which will also show group membership for that logon session. ... > Want to install goldmine integration for outlook. ...
    (microsoft.public.windows.server.security)