Re: Bypassing domain and OU GPO settings using the Security Configuration and Analysis MMC

I though Group Policy Refresh Interval was every 90 minutes +/- 30 by default. What is this 16 hours thing all about? That Group Policy is a template of settings being pushed to a machine, is the Client Side Extensions just basically Local Group Policy, in other words?

"Mark Heitbrink [MVP]" <spam-only@xxxxxxxxxxxxxxxxxxxxx> wrote in message news:OueAkmCtIHA.2188@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

Spin schrieb:
[...] You must be an admin on the machine to do this. My question is, isn't this a security risk in it's own right, bypassing domain
> and OU GPO settings?

Sure, but what did you expect? An Adminis an Admin is an Admin.

Thats the reason why he is an Administrator.
He MUST be able to revert all settings, that unsuspecting user
possibly have made. An Administrator is a job or a role and being
an Administrator means that I know what I do by definition.

But here is your solution:
Because of the problem, that local Admins can override security settings
from the domain, the Client Side Extension of Security is running every
16 hours with a /FORCE option.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
"MaxNoGPOListChangesInterval"=0x3C0 (960 minutes = 16 hours)

Just wait a day and everything will be fine agan, if the local
Administrator does not have find a much easier and more efectiv way
to block your settings.

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english

.

Relevant Pages

  • Re: Network Properties Permission Problem
    ... the domain administrator having the issue correct? ... > The computer received "Security" settings from these GPOs: ... >>> the local workstation admin user. ...
    (microsoft.public.win2000.group_policy)
  • Re: Administrator Locked out
    ... an admin, remove the Deny and promptly use gpedit to revert the ... Simplify Group Policy Troubleshooting with the NEW GPExpert ... out the administrator from entering into the Group Policy Object ...
    (microsoft.public.windows.group_policy)
  • Group Policy for hardened PCs
    ... I have a network of about 50 users. ... these same people will also have a DIFFERENT PC [aka Admin PC] to ... there with lots of tweaks to both the Computer Settings and User Settings ... that they can override all the Group Policy settings I apply? ...
    (microsoft.public.windows.group_policy)
  • Re: problems with admin account
    ... As Roger said, my XP Security Console is designed to allow you to put a number of restrictions in place, on a per-user basis. ... You'll be able to unlock some of the settings that you've made with GPEDIT, ... > account with admin rights ... > the administrator) as I don't have access to computer ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Is there a way to set a local policy to disable adhoc, non Act
    ... policy via GPMC it requires you to log in as a domain administrator. ... +Software Settings ... Under Windows Settings there is a Security Settings, ... another Group Policy MVP - he posted these steps on ...
    (microsoft.public.windows.group_policy)
Loading