Re: Force Periodic Authentication
- From: "Thomas M." <NoEmailReplies@xxxxxxxxxx>
- Date: Tue, 11 Mar 2008 09:55:41 -0600
Bruce,
Thanks for the information. It will take some time to digest, but I'll
definitely do some testing with these ideas. It may take a while to get
around to doing that testing, given all my other duties, but the system I
described is not yet in wide use so I can afford a little time here. I'll
try to post my results once I get the testing done.
--Tom
"Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx> wrote in message
news:OuWrmUygIHA.5160@xxxxxxxxxxxxxxxxxxxxxxx
A few things:
1. Group Policies get automatically refreshed every 90 minutes, plus or
minus 30 minutes - however, if you are implementing this capability by
only changing the membership of DOMAIN groups, GPO refresh on the client
computer is not relevant - changes to domain group membership require only
replication to all domain controllers
2. group membership is obtained each time a user logons on and is not
changed for the duration of the session (until the user logs off) - seems
you know this already - reboot is not required, just logoff
3. there are some settings that might be useful (in combination):
Computer Configuration
Windows Settings
Local Policies
Security Options
Interactive Logon: Require Domain Controller authentication to
unlock
User Configuration
Administrative Templates
Control Panel
Display
Password protect the screen saver
Screen saver timeout
I haven't personally exercised the first one (Require Domain Controller
authentication to unlock), but the Screen Saver ones do work. If you
assign these users a second user (adminstrative) user account and only add
this one to the Domain security group (per your second paragraph), you
could change the password, lock or disable this account when the time
expires - then presumably, "Domain Controller authentication" would fail
when the user keys credentials to unlock the computer. This, of course,
assumes that the user leaves the computer idle long enough for the Screen
Saver to activate - you could set the Screen saver timeout to a suitably
short time (e.g. 10 minutes).
4. according to
http://technet2.microsoft.com/windowsserver/en/library/be413dbd-c47f-48a9-912d-d3d22c02eb2e1033.mspx?mfr=true,
local group membership set using Member Of in Restricted Groups are not
removed automatically when the GPO is changed or the computer falls out of
scope of the GPO. Experiments show that this is indeed the case for
Windows XP, but with Vista, this appears to be no longer the case - local
group membership gets updated when the GPO is changed or the computer
falls out of scope. However, again, if only DOMAIN group membership is
adjusted (as indicated in your second paragraph), this is not relevant.
Hope this helps - cheers!
--
Bruce Sanderson
http://members.shaw.ca/bsanders/
It's perfectly useless to know the right answer to the wrong question.
"Thomas M." <NoEmailReplies@xxxxxxxxxx> wrote in message
news:evKP0KtgIHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
XP SP2
Exchange 2007
We have a GPO that utilizes the Restricted Groups policy to push down the
contents of the local Administrators group. Upper management wanted us
to provide a way for users to temporarily elevate their own rights so
that employees working evenings or weekends on critical problems can make
themselves administrators in the event that they need to upgrade
software, install patches, etc. So we came up with a web form that
employees can use to add themselves to a domain security group that gets
pushed down with the group policy. Employees can choose durations of 2
hours, 1 day, 3 days, 1 week, 2 weeks, and 1 month (to cover everything
from simple software installs to length testing projects). The process
will also automatically expire the elevated rights after the given time
frame, or an administrator can revoke the rights manually if the time
frame requested was excessive (i.e. 1 month requested for a simple
software install). This is all setup with auditing and employees who
abuse the process will lose the permissions to use the web form.
It all works pretty well, but there is one question that has come up.
Say an employee requests elevated rights for a week to do some testing.
After one week the process will remove the user account from the domain
security group that gives them admin rights on the local PC. Eventually,
even without a reboot, the group policy will refresh on the local PC.
But if that employee does not reboot wouldn't the admin rights remain
intact regardless of whether or not the group policy has been refreshed?
If so, is there a way to force a periodic re-authentication--say once a
day--to catch those employees who would try to get around the system by
requesting admin rights and then staying logged on forever?
Any help you can provide will be greatly appreciated.
--Tom
.
- References:
- Force Periodic Authentication
- From: Thomas M.
- Re: Force Periodic Authentication
- From: Bruce Sanderson
- Force Periodic Authentication
- Prev by Date: Re: Cross domain user policy
- Next by Date: Re: Applying a GPO to an OU with a group
- Previous by thread: Re: Force Periodic Authentication
- Next by thread: GPresult help
- Index(es):
Relevant Pages
|
