It's actually very easy to prevent any policies from coming down to your system if you have local admin rights. What you do is first, delete the policies from the registry, then deny everyone (except for a locally created user) access to the policy key. You'll see the failures in the event log when a new policy attempts to get written. Viola! no more policies....
Easy as pie.... Exibar ----- Original Message ----- From: "James Exim" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 29, 2003 3:50 AM Subject: [Full-Disclosure] W2k users, local admin rights and GPOs > It has been pointed out several times recently on the SF mailing lists that > a W2k user with local administrator rights can prevent group policy > application on his/her machine and there is apparently nothing the domain > administrator(s) can do about it (see > http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ms/2003-09/0106.html > for an example) > > Does anyone know exactly (a) how, and (b) why this is possible? Is there > really no workaround other than removing the users from the local > Administrators group? I keep discovering W2k machines where end users have > been granted local admin rights (yuk!) and I'm trying to convince the > relevant domain admins that, while this is an easy way to make legacy > software work, it isn't such a great idea from a security point of view... > > Thanks, > > James > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
