[gptalk] Re: RES: Re: RES: Re: Help With Local GPO

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 22 Oct 2008 13:06:14 -0700

Ok. So what those registry keys are doing is leveraging the old NT 4 system
policies. I would not recommend using that approach in addition to using
Group Policy, as you can get some unexpected interactions when using both.
Not sure why they would be doing it this way but it is very ?old school?

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Maurit Pereira Fagundes
Sent: Wednesday, October 22, 2008 12:22 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] RES: Re: RES: Re: Help With Local GPO
Importance: High

 

Hi Darren

 

Remeber i told you that a custom program apply custom restrict policy to a
specific local user?

 

So?I find out that this program creates the following registry keys:

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Update]

"UpdateMode"=dword:00000002

"NetworkPath"="C:\\WINDOWS\\system32\\policy.POL"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Update]

"UpdateMode"=dword:00000002

"NetworkPath"="C:\\WINDOWS\\system32\\policy.POL"

 

The program also puts the name o the user created inside the pol file and
the pol file is copied to:

 

C:\\WINDOWS\\system32\\policy.POL

 

Unfortunately, this pol file is encrypted.

 

So, my question is:

 

Do you wonder what could associate this pol file to a specific user
mentioned in the own pol file?

 

Thanks again.

 

 

  _____  

De: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] Em nome
de Darren Mar-Elia
Enviada em: quinta-feira, 16 de outubro de 2008 11:43
Para: gptalk@xxxxxxxxxxxxx
Assunto: [gptalk] Re: RES: Re: Help With Local GPO

 

Well, you can certainly create a .pol file programmatically outside of GP,
but you can?t just put it anywhere. Windows looks specifically in the
locations I mentioned below and only there. 

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Maurit Pereira Fagundes
Sent: Thursday, October 16, 2008 6:39 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] RES: Re: Help With Local GPO
Importance: High

 

Darren

 

Thanks for your help. Let me ask you one more thing:

 

Can I create a custom pol file, put it in an different location (system32,
for instance) and apply it to a specific local windows xp user? 

 

Is that possible? 

 

I know a program made by a developer that creates a local user and applies
to the user a restricted desktop. I think it is by GPO, but no other users
are affected. Unfortunately I do not have access to the source code. I will
look for it, if I find any new information, I let you know.

 

Thanks again.

 

  _____  

De: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] Em nome
de Darren Mar-Elia
Enviada em: quarta-feira, 15 de outubro de 2008 20:37
Para: gptalk@xxxxxxxxxxxxx
Assunto: [gptalk] Re: Help With Local GPO

 

You can hack this after a fashion, but it requires some real tweaking.
Namely, depending upon what policy you want to control, you can use file
permissions on the underlying GP settings storage in the local GPO to
control who gets it. For example, if you want to control Admin Template
policy on the local GPO, you can permission the registry.pol file within
either C:\windows\system32\grouppolicy\machine or
C:\windows\system32\grouppolicy\user so that it can only be read by the user
account that you want to apply the policies to. It?s a serious hack, but it
has been done successfully in the past.


Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie
Sent: Wednesday, October 15, 2008 11:00 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Help With Local GPO

 

Well, only a local GPO would work but I don?t think there is any way to use
security filtering at the local level; therefore, your GPO is going to apply
to all local users, and potentially some domain users as well.

 

And because a local user account does not process domain-based GPOs, I think
you?re unfortunately out of luck.

 

Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
http://www.dvn.com <http://www.dvn.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Maurit Pereira Fagundes
Sent: Wednesday, October 15, 2008 11:48 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Help With Local GPO
Importance: High

 

Hello everyone.

 

I need to create a program that creates a local user in windows XP and
associates it a specific GPO created by me to the user the program created
only. The other local users must not be affected by the GPO. How can I do
this? I am searching for a solution but nothing up to now.

 

I´m ok with the program, my problem is how to associate a custom GPO to a
specific local windows xp user without affect the others local users.

 

Can someone help me on this?

 

Thanks in advance.

MT

 

 

  _____  

Confidentiality Warning: This message and any attachments are intended only
for the use of the intended recipient(s), are confidential, and may be
privileged. If you are not the intended recipient, you are hereby notified
that any review, retransmission, conversion to hard copy, copying,
circulation or other use of all or any portion of this message and any
attachments is strictly prohibited. If you are not the intended recipient,
please notify the sender immediately by return e-mail, and delete this
message and any attachments from your system. 

Other related posts: