Re: ACL on GPO link
- From: Johni <john.silverdear@xxxxxxxxx>
- Date: Thu, 3 Apr 2008 03:46:02 -0700 (PDT)
On 3 avr, 06:41, "Darren Mar-Elia" <dmanonym...@xxxxxxxxxxxxx> wrote:
To take it a step further from what Mark has said, if, for example, an
administrator was not domain admin equivalent and could not take ownership
of any AD object and change its permissions, you could prevent them from the
writing the gpLink attribute on the domain NC head. That would effectively
prevent them from unlinking your GPO. But, because of the way links are
stored, they would also not be able to add any new links to the domain, nor
remove other GPO links. The gpLink attribute is monolithic in that each link
is stored in a concatenated list of GPO Guids (along with a flag). Thus
being able to write the gpLink attribute means you can link or unlink any
GPO from that container and not being able to write to it means...that you
can't!
hope that helps.
Darren
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
*******************************
Secure and configure your Windows desktops accurately every time without
having to learn or install new technology.
Find out more about Desktop Policy Manager athttp://www.sdmsoftware.com/desktop_management
*******************************
"Mark Heitbrink [MVP]" <spam-o...@xxxxxxxxxxxxxxxxxxxxx> wrote in messagenews:efeI1rOlIHA.5820@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Johni schrieb:
Somebody who has the rights to manage links car delete my GPO link and
then put a link with his own GPO, with different policies.
... but only if he has the right to write/change files inside SYSVOL and
objects inside cn=policies,cn=system,dc=yourdom,dc=dom
That means: He es a Admin. And if he is a Admin, you can not deny
ANYTHING!
A person who can manage links everywhere is aswell an admin ...
Creation and Linking are two seperate roles, because they appear at
different objects.
If someone is permitted to link, he has at least the right of modify
the "gpLink" Attribute on a Site, Domain or OU, which can be delegated.
But if he is permitted to link, he is not allowed to create a OU, he only
can link a existing one.
If someone is allowed to create a GPO, he does not nessesarly has the
right to link this object on every OU.
If someone is "unlinking" your GPO and replacing it, then you do not have
a problem that can be catched by security options, it only can be handled
by his employee contract. If he is reverting settings a Doman Admin has
set, than this usually happens only once. The secound time he is no longer
an employee ... easy and functional. So, no Problem at all.
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage:www.gruppenrichtlinien.de- deutsch
Blog: gpupdate.spaces.live.com - english- Masquer le texte des messages précédents -
- Afficher le texte des messages précédents -
Thanks for your answers, Mark and Darren.
I understood the technical reasons.
I conclude that you cannot prevent an AD administrator (god) from
changing application of a specific set of policies. It's impossible.
If I have a security application based on policies and I want that its
settings can only be changed by a few people, and not all the system
administrors, I can't.
But even if I could put ACL on specific GPO links, it wouldn't be
enough, because AD admins can reset a password and use another
account.
The only solution is to use a custom config server, based on a private
authentication mechanism
.
Never mind, I juste wanted to be sure that I clearly understood GPO
links. Thanks again.
JS
.
- References:
- ACL on GPO link
- From: Johni
- Re: ACL on GPO link
- From: Mark Heitbrink [MVP]
- Re: ACL on GPO link
- From: Johni
- Re: ACL on GPO link
- From: Mark Heitbrink [MVP]
- Re: ACL on GPO link
- From: Darren Mar-Elia
- ACL on GPO link
- Prev by Date: Re: disable printer mapping for TS clients
- Next by Date: access denied link gpo
- Previous by thread: Re: ACL on GPO link
- Next by thread: Group policy not being applied uniformly
- Index(es):
Relevant Pages
|
