Now that it is out there, then it's relatively easy to look them up. But in James' case, I can just bring my own copy of cacls.exe (or have a scheduled job to make a copy of the existing one) and unless SeTakeOwnership Privilege is removed from the Administrators group I can then get permissions back to everything that he's just removed.
If the purpose was to block internet access, then I think it would have been easier to just configure this on the outbound proxy or router or firewall or whatever device that's inplace there. Cheers Ken ________________________________ From: Free, Bob [r...@pge.com] Sent: Friday, 24 April 2009 2:18 AM To: NT System Admin Issues Subject: RE: Restricted groups, where have you been.... Before Russinovich blogged it you at least had to have a bit of a clue about GPO’s to defeat them, now it is trivial…relatively From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Thursday, April 23, 2009 12:26 AM To: NT System Admin Issues Subject: RE: Restricted groups, where have you been.... If they are administrators, they can defeat GPOs given sufficient knowledge... Cheers Ken ________________________________ From: James Rankin [kz2...@googlemail.com] Sent: Thursday, 23 April 2009 5:12 PM To: NT System Admin Issues Subject: Re: Restricted groups, where have you been.... For those who can remember the NT4 days, GPOs as a whole are an awesome admin tool. When I managed an NT4 network with 10,000 users I actually had batch scripts running overnight that reset the user rights on all DCs and members servers, checked the local group memberships and altered them back to a default if they'd changed. Group Policy finally made my life easy. I just recently implemented a group policy that blocks internet access on our few scanning workstations even though the users are admins...a combination of a false proxy and restrictive file permissions on inetcpl.cpl, regedit, reg.exe, rshx32.dll and cacls.exe has done the trick. Power is great!!!! 2009/4/22 David Lum <david....@nwea.org<mailto:david....@nwea.org>> …all my life! We are just getting to use this feature and it’s DA BOMB! Being able to add users to local groups w/out affecting the existing memberships is awesome! We are narrowing down how many Domain Admins we have and this feature is *hugely* helpful in delegating to non domain admins. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
