[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <004901c39df9$baac56e0$0914a8c0@LAPTOP>
From: security at exim.dyndns.org (James Exim)
Subject: W2k users, local admin rights and GPOs
It has been pointed out several times recently on the SF mailing lists that
a W2k user with local administrator rights can prevent group policy
application on his/her machine and there is apparently nothing the domain
administrator(s) can do about it (see
http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ms/2003-09/0106.html
for an example)
Does anyone know exactly (a) how, and (b) why this is possible? Is there
really no workaround other than removing the users from the local
Administrators group? I keep discovering W2k machines where end users have
been granted local admin rights (yuk!) and I'm trying to convince the
relevant domain admins that, while this is an easy way to make legacy
software work, it isn't such a great idea from a security point of view...
Thanks,
James
Powered by blists - more mailing lists