Security Basics mailing list archives
Re: Spying in a corporate environment
From: Big Joe Jenkins <swarzkopf () legolas sinnerz us>
Date: Fri, 23 Nov 2007 11:47:07 -0500 (EST)
"However, while being logged into the local machine instead of the domain
domain policies are not re-applied. An administrator can now manually change/remove those policies"
This is still incorrect- though I must admit that you made me second guess myself. I actually just tested it with the Windows Firewall policy I mentioned below. :) An administrator does NOT have the ability to manually change/remove the applied policies; local administrator can modify the local machine policy, but it will not be enforced until policy is updated, at which point the domain policies override the local policy settings.
On Fri, 23 Nov 2007, Ansgar -59cobalt- Wiechers wrote:
On 2007-11-23 Big Joe Jenkins wrote:On Thu, 22 Nov 2007, Ansgar -59cobalt- Wiechers wrote:Like I said before: they log into the local machine instead of logging into the domain. Voil, no domain policies applied.This is absolutely not true and displays a fundamental misunderstanding of group policy application. As long as the workstation in question is in a site/domain/OU with computer targetted GPO settings linked to it, these GPOs will apply to the machine regardless of how a user logs in. For example, I've created a Windows Firewall GPO that propagates restrictive Windows firewall settings to clients. This is a computer targetted GPO that is applied to security groups composed of workstation accounts. When a user (including local administrator) logs in locally to one of the workstations specified in the GPO's filtering, the policy is applied and local administrator is unable to modify any Windows firewall settings (their only recourse would be to remove the workstation from the domain). Please try this- log in as local administrator to a workstation as specified above, and run gpresult or rsop and view the results.Poor wording on my part. Sorry about that. Of course the policies that were applied to the machine once aren't magically removed just because the user logs into the local machine instead of the domain. However, while being logged into the local machine instead of the domain domain policies are not re-applied. An administrator can now manually change/remove those policies. At least AFAICS. Someone correct me if I'm wrong. Regards Ansgar Wiechers -- "The Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user." --http://developer.apple.com/technotes/tn2004/tn2118.html
Current thread:
- RE: Spying in a corporate environment, (continued)
- RE: Spying in a corporate environment Murda Mcloud (Nov 21)
- Re: Spying in a corporate environment Col (Nov 21)
- Re: Spying in a corporate environment Ansgar -59cobalt- Wiechers (Nov 21)
- RE: Spying in a corporate environment Mario DeBono (Nov 22)
- Re: Spying in a corporate environment Ansgar -59cobalt- Wiechers (Nov 22)
- Re: Spying in a corporate environment Tremaine Lea (Nov 22)
- RE: Spying in a corporate environment Mario DeBono (Nov 22)
- Re: Spying in a corporate environment Ansgar -59cobalt- Wiechers (Nov 22)
- Re: Spying in a corporate environment Big Joe Jenkins (Nov 23)
- Re: Spying in a corporate environment Ansgar -59cobalt- Wiechers (Nov 23)
- Re: Spying in a corporate environment Big Joe Jenkins (Nov 23)
- Re: Spying in a corporate environment Col (Nov 23)
- RE: Spying in a corporate environment Craig Wright (Nov 23)
- Re: Spying in a corporate environment Col (Nov 21)
- RE: Spying in a corporate environment Murda Mcloud (Nov 21)
- Re: Spying in a corporate environment Col (Nov 21)
- Re: Spying in a corporate environment Tremaine Lea (Nov 27)