[gptalk] RES: Re: RES: Re: Help With Local GPO

Hi Darren

 

Remeber i told you that a custom program apply custom restrict policy to a 
specific local user?

 

So...I find out that this program creates the following registry keys:

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Update]

"UpdateMode"=dword:00000002

"NetworkPath"="C:\\WINDOWS\\system32\\policy.POL"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Update]

"UpdateMode"=dword:00000002

"NetworkPath"="C:\\WINDOWS\\system32\\policy.POL"

 

The program also puts the name o the user created inside the pol file and the 
pol file is copied to:

 

C:\\WINDOWS\\system32\\policy.POL

 

Unfortunately, this pol file is encrypted.

 

So, my question is:

 

Do you wonder what could associate this pol file to a specific user mentioned 
in the own pol file?

 

Thanks again.

 

 

________________________________

De: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] Em nome de 
Darren Mar-Elia
Enviada em: quinta-feira, 16 de outubro de 2008 11:43
Para: gptalk@xxxxxxxxxxxxx
Assunto: [gptalk] Re: RES: Re: Help With Local GPO

 

Well, you can certainly create a .pol file programmatically outside of GP, but 
you can't just put it anywhere. Windows looks specifically in the locations I 
mentioned below and only there. 

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Maurit Pereira Fagundes
Sent: Thursday, October 16, 2008 6:39 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] RES: Re: Help With Local GPO
Importance: High

 

Darren

 

Thanks for your help. Let me ask you one more thing:

 

Can I create a custom pol file, put it in an different location (system32, for 
instance) and apply it to a specific local windows xp user? 

 

Is that possible? 

 

I know a program made by a developer that creates a local user and applies to 
the user a restricted desktop. I think it is by GPO, but no other users are 
affected. Unfortunately I do not have access to the source code. I will look 
for it, if I find any new information, I let you know.

 

Thanks again.

 

________________________________

De: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] Em nome de 
Darren Mar-Elia
Enviada em: quarta-feira, 15 de outubro de 2008 20:37
Para: gptalk@xxxxxxxxxxxxx
Assunto: [gptalk] Re: Help With Local GPO

 

You can hack this after a fashion, but it requires some real tweaking. Namely, 
depending upon what policy you want to control, you can use file permissions on 
the underlying GP settings storage in the local GPO to control who gets it. For 
example, if you want to control Admin Template policy on the local GPO, you can 
permission the registry.pol file within either 
C:\windows\system32\grouppolicy\machine or C:\windows\system32\grouppolicy\user 
so that it can only be read by the user account that you want to apply the 
policies to. It's a serious hack, but it has been done successfully in the past.


Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Nelson, Jamie
Sent: Wednesday, October 15, 2008 11:00 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Help With Local GPO

 

Well, only a local GPO would work but I don't think there is any way to use 
security filtering at the local level; therefore, your GPO is going to apply to 
all local users, and potentially some domain users as well.

 

And because a local user account does not process domain-based GPOs, I think 
you're unfortunately out of luck.

 

Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon Energy 
Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 | http://www.dvn.com 
<http://www.dvn.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Maurit Pereira Fagundes
Sent: Wednesday, October 15, 2008 11:48 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Help With Local GPO
Importance: High

 

Hello everyone.

 

I need to create a program that creates a local user in windows XP and 
associates it a specific GPO created by me to the user the program created 
only. The other local users must not be affected by the GPO. How can I do this? 
I am searching for a solution but nothing up to now.

 

I´m ok with the program, my problem is how to associate a custom GPO to a 
specific local windows xp user without affect the others local users.

 

Can someone help me on this?

 

Thanks in advance.

MT

 

 

________________________________

Confidentiality Warning: This message and any attachments are intended only for 
the use of the intended recipient(s), are confidential, and may be privileged. 
If you are not the intended recipient, you are hereby notified that any review, 
retransmission, conversion to hard copy, copying, circulation or other use of 
all or any portion of this message and any attachments is strictly prohibited. 
If you are not the intended recipient, please notify the sender immediately by 
return e-mail, and delete this message and any attachments from your system.

Other related posts: