[gptalk] All Vista users can see your OU structure by default - and download GPO's to their local hard drive

  • From: "Mills, Mark" <Mark.Mills@xxxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 15 Sep 2006 10:58:35 -0500


All users able to see your OU structure -


(as mentioned before GPMC.MSC is installed on all Vista clients by


Not only does a user who is only in the "domain user" group have access
to see the structure, I was able to do a backup of GPO's (the option was
not grayed out) to my local hard drive.  The backup included copies of
all scripts used by the GPO.  This means a user can easily find the
Executive Users group OU that you may have configured for Company Board
Members, download their Policies to review (and backup), and look at any
scripts to see what resources they might have access to.  

I hesitate to think about young admin who might put a plain text
password in a script.  I don't work at a large enterprise, and I realize
that because of that my knowledge of proper security procedure might be
limited - do you guys in the larger enterprises go into the sysvol
directory and apply security permissions to directories that contain
GPO's for employees and restrict access to that directory so that only
the employees who need access to that GPO have access? 


Example: By default everyone has read access to the Sysvol directory and
its subfolders.  So if you want to block access from a user who does not
need access to the GPO  at \\domaincontroller\SYSVOL\<my
domain.com>\Policies\{DH3EA850-8HFA-4117-8HEA-3BH59C49A82B}  do you
modify the security tab to allow only those users that need access?  Do
you do this for every GPO - and then you would have to also modify the
contents of the \\domaincontroller\SYSVOL\<my domain.com>\scripts
directory to make sure users are only allowed read access to the scripts
they use instead of the default permissions of being able to read
everyone's scripts.  What am I missing here?


On separate notes-

ntbackup no longer exists on Vista. The new utility "sdclt" does not
appear to support command line parameters, and did not let me save a
backup job to a local volume or local drive, it only gave me options to
save on a writeable DVD or a network share.  This is a bummer for me if
Longhorn acts the same way.  I used to do backups of 1) a web forum
database and 2) online webstore database on a web server once an hour to
a local directory on that webserver.  The purpose was that if something
should happen to corrupt the online sales database or forum, I could
return it to the state it was the previous hour, instead of all the way
back to the tape backup the night before.  I'm sure it may be the same
thing for all those people who backup Exchange with NTBackup  (I use
BackupExec personally) 


Also GenControl http://www.gensortium.com/products/gencontrol.html
didn't work on Vista - it remotely installs VNC on a PC and gives you
instant Desktop Control (when your user has proper permissions).   



Mark Mills 


Other related posts: