lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: security at exim.dyndns.org (James Exim)
Subject: W2k users, local admin rights and GPOs

It has been pointed out several times recently on the SF mailing lists that
a W2k user with local administrator rights can prevent group policy
application on his/her machine and there is apparently nothing the domain
administrator(s) can do about it (see
http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ms/2003-09/0106.html
for an example)

Does anyone know exactly (a) how, and (b) why this is possible?  Is there
really no workaround other than removing the users from the local
Administrators group?  I keep discovering W2k machines where end users have
been granted local admin rights (yuk!) and I'm trying to convince the
relevant domain admins that, while this is an easy way to make legacy
software work, it isn't such a great idea from a security point of view...

Thanks,

James


Powered by blists - more mailing lists