[THIN] Re: GPO Debate
- From: Rick Mack <ulrich.mack@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Sun, 8 Feb 2009 17:27:41 +1000
Hi Greg,
We'd probably need Jeremy Moskovitz to answer this authoritatively but
here's my take.
Server 2003/XP group policies comprise security settings which still use the
old NT 4 policy mechanisms. Stuff like user rights, auditting etc all use
legacy mechanisms.These are reg hacks and will stick until changed.
Once we get into the area of group policies your mileage will vary. As you
know there are 2 types of group policies, unmanaged and managed.
The difference is that the first type are again NT 4 style policies where a
non-volatile change gets made to the registry. Quite a lot of the stuff like
system tuning etc
Managed group policies on the other hand are transient. They are written to
locations like HKLM\Software\Policies and
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies for computer
configurations and HKCU\Software\Policies and
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies. Because they are
transient and have to be re-applied on reboot or login, these can be blocked
from applying, either be network disconnection or by other more creative
means.
For example., Jeremy Moskovitz has a simple script (www.gpanswers.com) that
will block GP application, and if you get creative on your laptop and create
a value, DisableDFS, reg_dword, 0x1, under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Mup, then you can no
longer access the netlogon/sysvol\scripts share and can't download domain
logon scripts or group policies. Darn, those GPs don't apply anymore.
But if we get back to the network connectivity issue, if a group policy
refresh interval is defined, provided network connectivity is restored the
machine group policies will be applied. However please note that most of the
security settings have still stuck.
And we can't avoid the small fact that unless I've got access to the console
on a terminal server, worrying about what happens if a GP isn't applied
because we don't have network connectivity is a shear waste of time. Anyone
that starts worrying about security in that scenario doesn't understand the
simple fact that if I can't connect it doesn't matter whether the GP will
apply to me or not.
So your answer is that you are almost right. Most of the stuff that matters
sticks and the stuff that doesn't stick doesn't matter.
regards,
Rick
--
Ulrich Mack
Quest Software
Provision Networks Division
Provided you can log on there is network connectivity and a users GP will
apply.
On Mon, Feb 2, 2009 at 6:02 AM, Greg Reese <gareese@xxxxxxxxx> wrote:
> I admit that as I have been in this career for over 15 years, there may be
> some things that I still don't understand, or worse, some things that I
> don't understand as well as I think i do. But keeping an open mind and
> being willing to learn something from everyone I meet has served me pretty
> well.
>
> currently, I am having a debate over GPO use with a colleague (for those
> of you in government work, think "IA asshole").
>
> anyway, the debate is that setting a GPO at the domain or OU level does not
> properly protect a server because as soon as the the server is unplugged
> from the network, the settings disappear leaving the server in an
> unprotected state. So this person nwants us to make all adjustments by hand
> with local policies. As much as my gut tells me this is wrong, I really
> don't have anything to back it up with.
>
> I say the settings will stay applied in the absence of the rest of the
> domain structure or servers being present. But the more I thnk about it, I
> really don't know how it really works. I am going to setup a test next week
> but figured it was worth throwing out to all of you.
>
> Thanks!
>
> Greg
>
Other related posts:
