|
Home > Archive > Windows XP exams > February 2004 > Local Policy settings
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Local Policy settings
|
|
| richardwhit 2003-01-08, 2:03 pm |
| Following on from an earlier thread in this forum I decided to have a good play about with managing Windows policies locally for a workgroup environment or a network without a Windows domain.
I set several restrictive policies including preventing access to control panel, preventing opening of mmc, preventing amendement of NTFS security etc.etc. To my surprise Windows applies these policies to the administrator account too, so I can't actually open control panel or mmc to remove them  LOL!!
Is this right? surely there must be some way of only applying policies to the local users only or this is a completely useless feature. | |
| clarkv 2003-01-09, 11:01 am |
| I know that users/groups can be filtered out of Group Policies in an Active Directory domain environment using ACLs. So I took a look at Local Group Policies on my XP Pro computer and there seems to be no way to do this, which you have already found. I searched Microsoft's website and found KB article 218601 which states that there is no way to do this on a per-user basis in Win 2000. It does state that MS recognizes this as a limitation of Win 2000 and is considering this capability in future operating systems. However, it would appear that it's not yet a reality for XP. | |
| richardwhit 2003-01-10, 4:02 am |
| Thanks for your response and for digging around for the answer.....its quite a serious limitation IMO, but nonetheless I suppose as long as you're careful which policies you apply, local policies can be effective to a point. | |
| TW2001 2003-01-10, 8:32 am |
| In case you missed it. I posted the workaround to this in the previous thread. You deny the Administrator account (or any other accounts you do not want the policy to apply to) read access to the GPO folder. When you want to edit it you allow read so you can open it (via mmc,gpedit.msc)
Its very simple. | |
| richardwhit 2003-01-10, 10:22 am |
| Yeah....but that won't work if like in my example you've denied access to NTFS file permissions, because once you set the policies you won't have access to the NTFS permissions to deny read to the administrators account. Its my understanding that the policies will be enforced once they are written to this file, and so there is no way around it since you must have read access to set the policies in the first place.
But as you say, for the vast majority of policies this would be a good work around - but it didn't help me out of the daft situation I'd got myself into. | |
| TW2001 2003-01-10, 1:43 pm |
| Huh?
You open the properties and re-assign yourself the permission. An administrator can take ownership of any file...which enables (re-enables) you to alter permissions if neccessary. | |
| richardwhit 2003-01-11, 5:31 am |
| Right, this has nothing to do with ownership.....to recap/re-explain what I said in my last post and my first post - I have denied the ability to view, set or change NTFS permissions. Therefore I can't prevent the administrator from having read access to the GPO folder, I can't alter ownership or do anything that has any bearing on the permissions that were in place when the policy was set. In fact with the policies that I have in place the security tab is removed as if simple file sharing is enabled.
This isn't a problem since this is just a box in my home lab which I try to break on regular occassions.
Before you start getting pedantic with people because they've missed the point of one of your posts in a different thread, maybe you should take the time to read the posts in the current thread. | |
| TW2001 2003-01-11, 11:42 am |
| Oh of course. I will make it a point to not waste my time attempting to help you out.
As you wish. Im sure through your own command of the platform youll do just fine. | |
| Patrickjb 2003-01-23, 5:27 am |
| quote:
Originally posted by richardwhit
Following on from an earlier thread in this forum I decided to have a good play about with managing Windows policies locally for a workgroup environment or a network without a Windows domain.
I set several restrictive policies including preventing access to control panel, preventing opening of mmc, preventing amendement of NTFS security etc.etc. To my surprise Windows applies these policies to the administrator account too, so I can't actually open control panel or mmc to remove them LOL!!
Is this right? surely there must be some way of only applying policies to the local users only or this is a completely useless feature.
-------------------------------------------
Right, this has nothing to do with ownership.....to recap/re-explain what I said in my last post and my first post - I have denied the ability to view, set or change NTFS permissions. Therefore I can't prevent the administrator from having read access to the GPO folder, I can't alter ownership or do anything that has any bearing on the permissions that were in place when the policy was set. In fact with the policies that I have in place the security tab is removed as if simple file sharing is enabled.
What operating system where you working on while testing the NTFS security policies? You’re referring to a GPO. GPO's only apply to domains. Yes, there are 'local users' and 'groups', but GPO's only applies to 'Domain policy' where you’re using OU's, Sites etc. If your referring to a single workstation not connected to a domain controller, I'm curious how you restricted access to 'MMC'. This is not an option in "Local Security Policy" on XP pro.  | |
| richardwhit 2003-01-23, 6:17 am |
| Although the Group Policy only applies to a domain, if you use Local policy on a workstation the snap-in is still called Group Policy, you then point it at the Local Machine and it appears as Local Computer Policy in the console tree. This allows you to have administrative control in a workgroup environment.
The policies that I configured which resulted in me losing access to the mmc were as follows: User Configuration\Administrative Templates\Microsoft Management Console\
- Restrict User from entering Author Mode: enabled
- Restrict Users to the explicitly authorized list of snap-ins: enabled (but with an unpopulated list - therefore no snap-ins allowed) | |
| Patrickjb 2003-02-10, 9:53 pm |
| quote:
Originally posted by richardwhit
Right, this has nothing to do with ownership.....to recap/re-explain what I said in my last post and my first post - I have denied the ability to view, set or change NTFS permissions. Therefore I can't prevent the administrator from having read access to the GPO folder, I can't alter ownership or do anything that has any bearing on the permissions that were in place when the policy was set. In fact with the policies that I have in place the security tab is removed as if simple file sharing is enabled.
This isn't a problem since this is just a box in my home lab which I try to break on regular occassions.
Before you start getting pedantic with people because they've missed the point of one of your posts in a different thread, maybe you should take the time to read the posts in the current thread.
I can now see the problem that you have gotten yourself into. I duplicated one of the group policies that you created, and was able to solve the problem. I did not duplicate the NTFS permissions GP though, so I'm not sure how to fix that problem. I believe that any GP can be undone with "Regedit", but I have not tried this. This is the normal way to resolve this GP problem (or at least the way I would do it from now on).
Microsoft Windows XP Inside Out / Ed Bott, Carl Siechert, Craig Stinson.--Deluxe ed.
"Although you can't have customized settings for each of several different groups, you can effectively have two groups of users: those who are affected by local Group Policy settings and those who are not. This duality affects only the User Configuration settings; Computer Configuration settings are applied before anyone logs on.
You can do this because local Group Policy depends on users having Read access to the local Group Policy object, which is stored in the %SystemRoot%\System32\ GroupPolicy folder. Policies are not applied to users who do not have Read access; therefore, by denying Read access to administrators or others whom you don't want to restrict, you free those users from control by group policies. To use this method, follow these steps:
Make the Group Policy setting changes that you want.
In Windows Explorer, right-click the %SystemRoot%\System32\GroupPol
icy folder and choose Properties. (GroupPolicy is a hidden folder; if you can't find it in System32, choose Tools, Folder Options, View, Show Hidden Files And Folders.)
On the Security tab of the GroupPolicy Properties dialog box, select the Administrators group and select the Deny check box for the Read permission. (If you want to exclude any other users or groups from Group Policy control, add them to the Group Or User Names list and then deny their Read permission.)
note
--------------------------------------------------------------------------------
You must deny the Read permission rather than simply clear the Allow check box. Otherwise, all users would continue to inherit Read permission because of their automatic membership in the Authenticated Users group.
At your next logon using one of the Read-disabled user accounts, you'll find that you're no longer encumbered by Group Policy settings. Without Read permission, however, you'll find that you're also unable to run Group Policy—so you can't view or modify Group Policy settings. To regain that power, you need to revisit the Group Policy Properties dialog box and grant yourself Full Control permission.
tip - Create an account for managing Group Policy
--------------------------------------------------------------------------------
As an alternative to modifying permissions each time you want to work with Group Policy, consider setting up a separate user account for configuring Group Policy. Instead of denying Read permission for the Administrators group (step 3 of the preceding procedure), add your own user account to the Group Or User Names list, and deny Read permission for it. Create a new account—your Group Policy configuration account—and make it a member of the Administrators group. Finally, set up a shortcut to Gpedit.msc. When you want to review or modify Group Policy settings, right-click the shortcut, choose Run As, and enter the name and password of your configuration account.
Keep in mind that, even without the aforementioned security shenanigans, the default security settings effectively produce two groups of users. Although the local Group Policy settings apply to all users (clarification: all users who have Read access to the local Group Policy object), only members of the local Administrators group can view or change these settings.
If customizing the effects of Group Policy settings based on group membership is important to you, you should install Windows .NET Server or Windows 2000 Server and set up Active Directory. But the methods described in this section can provide an easy compromise solution."
You should apply these setting to the
" SystemRoot%\System32\GroupPoli
cy folder" before you start playing with Group Policy or sharpen your knowledge of making changes to the registry. | |
| richardwhit 2003-02-11, 8:59 am |
| Interesting reading. Thanks for the transcript. | |
| Patrickjb 2003-02-11, 3:56 pm |
| quote:
Originally posted by richardwhit
Interesting reading. Thanks for the transcript.
Have you managed to fix this problem without reloading Windows XP? I would be curious if you came up with a solution, and what the solution was.
The solution that I gave you above works but, I'm not sure how you would apply it if you can't get to the NTFS permissions tab.
The part of your GP that I duplicated involved the MMC console. I restricted myself from using the console, and then applied the solution above, I was then able to access the MMC console again, so I know this works.
If you should decide to play with the registry, I would suggest that you back up your "System State" first. This way if you make a critical mistake, you can restore your registry using the system state. | |
| richardwhit 2003-02-11, 4:42 pm |
| No, I didn't manage to fix it without reinstalling XP. But as I mentioned in one of my posts, this was just on one of my machines in my homelab that I was messing about with so it doesn't matter.
Obviously if this had been in a live environment or in one of the networks or sites I am responsible for then I wouldn't have been so flagrant in my lack of concern for what I was doing.
I often learn useful stuff when I do daft things in my homelab and trying to break things often results in learning useful info and techniques I wouldn't otherwise have come across, as probably demonstrated in this thread. | |
| richardwhit 2003-02-11, 4:42 pm |
| No, I didn't manage to fix it without reinstalling XP. But as I mentioned in one of my posts, this was just on one of my machines in my homelab that I was messing about with so it doesn't matter.
Obviously if this had been in a live environment or in one of the networks or sites I am responsible for then I wouldn't have been so flagrant in my lack of concern for what I was doing.
I often learn useful stuff when I do daft things in my homelab and trying to break things often results in learning useful info and techniques I wouldn't otherwise have come across, as probably demonstrated in this thread. | |
| Deja-vue 2004-02-06, 5:11 pm |
| Patrickjb, you rock, Man!
I was digging this old Thread up, because i had the same Problem trying to restrict Users on a XP-Box, but eveytime i set the local policy, it included the Admin-Account.
Thanks a lot for the explanation, it really does work!
|
|
|
|
|