Can this be stopped

celticfan11 · October 4th, 2007

So i figured this out.

If i login as a test student (who is locked down VIA Group Policy):

As soon as it accepts the username and password, i unplugg the network cord. It logs in. I then plug the network cord back in. I am now at MUCH higher elevated privledges then i should be. This defeats ALL GPOs except computer GPOS. How can this be prevented, if possible?

Server 2003 SP2

**Electronic Punk** · October 4th, 2007

Well this would only happen the first time for a very short period.

Basically as the user logs in for the first time they will be using the domain default profile stored in \\{domain}\netlogon (if it isn't there it doesn't exist)

This default profile can have any settings you like and can even use local user policy.

Another solutio would be to use roaming profiles.

GP will also refresh as often as you tell it to as well or can be forced by using gpupdate (there are also tools that will do it remotely as well.

celticfan11 · October 4th, 2007

Originally Posted by Electronic Punk

Well this would only happen the first time for a very short period.

Basically as the user logs in for the first time they will be using the domain default profile stored in \\{domain}\netlogon (if it isn't there it doesn't exist)

Using this is the only possible solution here. However there is no profile there. So how do i create one and then make it so that is where defualt profiles are pulled from instead of from the local PC?

**Electronic Punk** · October 4th, 2007

Easiest way, or what I have been doing is logging on as a local user, changing all the settings I want to change .. wallpaper, registry tweaks, vbs tweaks, file/folder layouts - anything I could think of.

Logging off, logging on as local admin, going to my computer > properties then copying the folder to C:\Documents and Settings\Default User

This will make it the default user on the PC obviously

If you then copy that entire folder into the NETLOGON folder then thats it!

Also note that any registry changes you make to \HKU\.DEFAULT are not infact being applied to the default user, this is actually the account used by system services etc. or if no one is logged on (ie you can use it specify the wallpaper for the logon screen)

**ZeroHour** · October 4th, 2007

You dont actually get evevated priviledges. You will only get the default which should be "User" level but yes your right you can do ALOT more then you should.
I am working on a solution for our network right now but I currently dont have to time to implement my ideas.

celticfan11 · October 5th, 2007

Originally Posted by ZeroHour

You dont actually get evevated priviledges. You will only get the default which should be "User" level but yes your right you can do ALOT more then you should.
I am working on a solution for our network right now but I currently dont have to time to implement my ideas.

It isnt priority for me either, but this client of ours is a school system, so once a student figures this out, this spells trouble. They can do alot of damage in a few mins of this elevated privledge level.

**ZeroHour** · October 5th, 2007

LOL I manage a school network too.
Damn evil kiddies

I will post as solution when I find the time. As long as they cant install a lot of the risk is minimal.

celticfan11 · October 5th, 2007

Originally Posted by ZeroHour

LOL I manage a school network too.
Damn evil kiddies
I will post as solution when I find the time. As long as they cant install a lot of the risk is minimal.

Sounds like a plan. And no they cant install, i have them fairly locked down

.

October 4th, 2007	Top \| #1
celticfan11 OSNN Senior Addict Joined: January 2003 Location: Vernon, CT Posts: 744 Reputation: 340 Power: 121	Can this be stopped So i figured this out. If i login as a test student (who is locked down VIA Group Policy): As soon as it accepts the username and password, i unplugg the network cord. It logs in. I then plug the network cord back in. I am now at MUCH higher elevated privledges then i should be. This defeats ALL GPOs except computer GPOS. How can this be prevented, if possible? Server 2003 SP2 CPU: Intel 3.2GHz OC'd to 3.4GHz RAM: 1GB PC3200 Harddrive: .710TB combined Local and Network storage Video Card: Geforce 6800 GT 256MB RAM Motherboard: ASU P4P800 Sound: Onboard sound baby Monitor: Faithful 21 inches of PURE CRT Number of Programs Installed: 39 and growing: not counting games, (and yes i use them all)

October 4th, 2007	Top \| #2
Electronic Punk The Last High Joined: December 2001 Location: London Posts: 18,506 Blog Entries: 51 Reputation: 3652 Power: 346	Re: Can this be stopped Well this would only happen the first time for a very short period. Basically as the user logs in for the first time they will be using the domain default profile stored in \\{domain}\netlogon (if it isn't there it doesn't exist) This default profile can have any settings you like and can even use local user policy. Another solutio would be to use roaming profiles. GP will also refresh as often as you tell it to as well or can be forced by using gpupdate (there are also tools that will do it remotely as well.

October 4th, 2007	Top \| #3
celticfan11 OSNN Senior Addict Joined: January 2003 Location: Vernon, CT Posts: 744 Reputation: 340 Power: 121	Re: Can this be stopped Originally Posted by Electronic Punk Well this would only happen the first time for a very short period. Basically as the user logs in for the first time they will be using the domain default profile stored in \\{domain}\netlogon (if it isn't there it doesn't exist) Using this is the only possible solution here. However there is no profile there. So how do i create one and then make it so that is where defualt profiles are pulled from instead of from the local PC? CPU: Intel 3.2GHz OC'd to 3.4GHz RAM: 1GB PC3200 Harddrive: .710TB combined Local and Network storage Video Card: Geforce 6800 GT 256MB RAM Motherboard: ASU P4P800 Sound: Onboard sound baby Monitor: Faithful 21 inches of PURE CRT Number of Programs Installed: 39 and growing: not counting games, (and yes i use them all)

October 4th, 2007	Top \| #4
Electronic Punk The Last High Joined: December 2001 Location: London Posts: 18,506 Blog Entries: 51 Reputation: 3652 Power: 346	Re: Can this be stopped Easiest way, or what I have been doing is logging on as a local user, changing all the settings I want to change .. wallpaper, registry tweaks, vbs tweaks, file/folder layouts - anything I could think of. Logging off, logging on as local admin, going to my computer > properties then copying the folder to C:\Documents and Settings\Default User This will make it the default user on the PC obviously If you then copy that entire folder into the NETLOGON folder then thats it! Also note that any registry changes you make to \HKU\.DEFAULT are not infact being applied to the default user, this is actually the account used by system services etc. or if no one is logged on (ie you can use it specify the wallpaper for the logon screen)

October 4th, 2007	Top \| #5
ZeroHour ho3 ho3 ho3 Joined: March 2004 Location: Scotland Posts: 1,111 Reputation: 1032 Power: 118	Re: Can this be stopped You dont actually get evevated priviledges. You will only get the default which should be "User" level but yes your right you can do ALOT more then you should. I am working on a solution for our network right now but I currently dont have to time to implement my ideas. <Z> EduGeek.net -The I.T. professionals' life line

Latest News Posts

Latest Forum Posts

Latest Member Blogs

October 5th, 2007	Top \| #6
celticfan11 OSNN Senior Addict Joined: January 2003 Location: Vernon, CT Posts: 744 Reputation: 340 Power: 121	Re: Can this be stopped Originally Posted by ZeroHour You dont actually get evevated priviledges. You will only get the default which should be "User" level but yes your right you can do ALOT more then you should. I am working on a solution for our network right now but I currently dont have to time to implement my ideas. It isnt priority for me either, but this client of ours is a school system, so once a student figures this out, this spells trouble. They can do alot of damage in a few mins of this elevated privledge level. CPU: Intel 3.2GHz OC'd to 3.4GHz RAM: 1GB PC3200 Harddrive: .710TB combined Local and Network storage Video Card: Geforce 6800 GT 256MB RAM Motherboard: ASU P4P800 Sound: Onboard sound baby Monitor: Faithful 21 inches of PURE CRT Number of Programs Installed: 39 and growing: not counting games, (and yes i use them all)

October 5th, 2007	Top \| #7
ZeroHour ho3 ho3 ho3 Joined: March 2004 Location: Scotland Posts: 1,111 Reputation: 1032 Power: 118	Re: Can this be stopped LOL I manage a school network too. Damn evil kiddies I will post as solution when I find the time. As long as they cant install a lot of the risk is minimal. <Z> EduGeek.net -The I.T. professionals' life line

October 5th, 2007	Top \| #8
celticfan11 OSNN Senior Addict Joined: January 2003 Location: Vernon, CT Posts: 744 Reputation: 340 Power: 121	Re: Can this be stopped Originally Posted by ZeroHour LOL I manage a school network too. Damn evil kiddies I will post as solution when I find the time. As long as they cant install a lot of the risk is minimal. Sounds like a plan. And no they cant install, i have them fairly locked down . CPU: Intel 3.2GHz OC'd to 3.4GHz RAM: 1GB PC3200 Harddrive: .710TB combined Local and Network storage Video Card: Geforce 6800 GT 256MB RAM Motherboard: ASU P4P800 Sound: Onboard sound baby Monitor: Faithful 21 inches of PURE CRT Number of Programs Installed: 39 and growing: not counting games, (and yes i use them all)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
COM Surrogate has stopped working	sean.ferguson	Windows Desktop Systems	7	March 3rd, 2007 1:09am
PSU fan stopped!	macromp	General Hardware	7	August 22nd, 2003 12:35pm
DVDs stopped playing	Eck	General Hardware	3	June 19th, 2003 7:52pm
UT Stopped Working	indyjones	PC Gaming	14	April 23rd, 2003 2:30pm
cpu fan stopped WTF???	fedele	General Hardware	4	September 2nd, 2002 2:18pm