Announcement

Collapse
No announcement yet.

Users bypassing group policy restrictions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Users bypassing group policy restrictions

    Hi There,

    I work in a school where we have a network consisting of Windows Server 2003 domain controllers and member servers. The workstations are all Windows XP. Unfortunately as a department we are under trained for the jobs we do so i'm sorry if i'm missing something blatantly obvious but if a user logs onto one of our workstations and unplugs the network cable the second his password is authenticated he manages to succesfully log into windows without any of our group policy settings taking effect. Although most network resources are properly locked down by means of permissions this still gives the user a certain amount of freedom on the local machine that we definetly don't want. Is there anywhere in group policy where i can force the settings always to take affect? Alternatviely are there any third party tools or anything to stop this?

    Regards

    Jon

  • #2
    Re: Users bypassing group policy restrictions

    I answered a questions similiar to this a few months back. If you're using roaming profiles this is an option.

    http://forums.petri.com/showthread.php?t=6027
    Andrew

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Users bypassing group policy restrictions

      Hi there,

      Thanks very much for your suggestion. Unfortunately we don't use roaming profiles, not even mandatory profiles. I don't suppose if we did implement mandatory profiles that that same policy setting would work?

      Regards

      Jon

      Comment


      • #4
        Re: Users bypassing group policy restrictions

        Hello,
        Group policies are applied in the following order: local GP, Site GP, Domain GP and all OU levels GP. By default each one can be over written be the GP from the next levels.
        The local GP is not depending on the network connection, so here you can configure a basic security. Add other settings to the Domain or OU levels GPs.

        Regards,
        Csaba
        Regards,
        Csaba Papp
        MCSA+messaging, MCSE, CCNA
        ...............................
        Remember to give credit where credit is due and leave reputation points where appropriate
        .................................

        Comment


        • #5
          Re: Users bypassing group policy restrictions

          Thanks for the suggestion, unfortunately we have only just moved away from local policies as it's so much easier to manage changes when everything is centralized. I can't imagine Microsoft would leave a flaw like this in an operating system without some way of getting around it. Is there no way i can set the machines or the policies so that if it doesn't find a network connection it goes with the last policy it had, however old? Or do i really have to go local policies for the security settings?

          Comment


          • #6
            Re: Users bypassing group policy restrictions

            From my perspective it is not a flaw in the operation system.
            User related restrictions forced by a GP is kept in the user profile and saved locally. So, if the user has logged on before and the GP was applied successfully, next time the settings will be available even if the network cable is unplugged.
            This is different only if the user log on for the first time or his or her local profile was removed. Settings are applied after the first successfully GP refresh. This interval is 90 minutes by default.
            To reduce user specific GP settings refresh interval see my screenshot.
            Be aware that a too frequently refresh can generate high network traffic.

            Regards,
            Csaba
            Attached Files
            Regards,
            Csaba Papp
            MCSA+messaging, MCSE, CCNA
            ...............................
            Remember to give credit where credit is due and leave reputation points where appropriate
            .................................

            Comment


            • #7
              Re: Users bypassing group policy restrictions

              I had a bit of an idea earlier on the subject of setting a higher refresh rate, here is my plan. Firstly, I enabled the computer group policy setting "Always wait for the network at computer startup and logon". Having done this it takes a moment longer to boot up but what it does mean is all the computer configuration settings are processed before the user puts his name and password in. Therefore, even if they do pull the network cable the refresh rate would have been set, then when they replace the cable it would never be more than 5 mintues (or whatever the setting) before the policies take affect on the workstation. For some reason having done this i tried a sample user, logged in, removed the network cable and got into an unrestricted desktop. From here i put the network cable back in and nothing happened. Does anyone know why this might be? I set the how often group policy is applied and the refresh interval to 1 minute for the purposes of my experiment to no avail. I know the rest of this policy was taking affect as i added programs to run on logon which did. Any suggestions?

              On a slightly seperate tangent, if you enforce user group policy loopback processing you can make the user settings in the GPO applied to the computer take affect for anyone who logs on. Is there anyway of making these process before logon as well?

              Comment

              Working...
              X