• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Can this be stopped

#1
So i figured this out.

If i login as a test student (who is locked down VIA Group Policy):

As soon as it accepts the username and password, i unplugg the network cord. It logs in. I then plug the network cord back in. I am now at MUCH higher elevated privledges then i should be. This defeats ALL GPOs except computer GPOS. How can this be prevented, if possible?

Server 2003 SP2
 

Electronic Punk

willalwaysbewithyou
Staff member
Political User
#2
Well this would only happen the first time for a very short period.


Basically as the user logs in for the first time they will be using the domain default profile stored in \\{domain}\netlogon (if it isn't there it doesn't exist)

This default profile can have any settings you like and can even use local user policy.

Another solutio would be to use roaming profiles.

GP will also refresh as often as you tell it to as well or can be forced by using gpupdate (there are also tools that will do it remotely as well.
 
#3
Well this would only happen the first time for a very short period.


Basically as the user logs in for the first time they will be using the domain default profile stored in \\{domain}\netlogon (if it isn't there it doesn't exist)

Using this is the only possible solution here. However there is no profile there. So how do i create one and then make it so that is where defualt profiles are pulled from instead of from the local PC?
 

Electronic Punk

willalwaysbewithyou
Staff member
Political User
#4
Easiest way, or what I have been doing is logging on as a local user, changing all the settings I want to change .. wallpaper, registry tweaks, vbs tweaks, file/folder layouts - anything I could think of.

Logging off, logging on as local admin, going to my computer > properties then copying the folder to C:\Documents and Settings\Default User

This will make it the default user on the PC obviously

If you then copy that entire folder into the NETLOGON folder then thats it!

Also note that any registry changes you make to \HKU\.DEFAULT are not infact being applied to the default user, this is actually the account used by system services etc. or if no one is logged on (ie you can use it specify the wallpaper for the logon screen)
 

ZeroHour

ho3 ho3 ho3
#5
You dont actually get evevated priviledges. You will only get the default which should be "User" level but yes your right you can do ALOT more then you should.
I am working on a solution for our network right now but I currently dont have to time to implement my ideas.
 
#6
You dont actually get evevated priviledges. You will only get the default which should be "User" level but yes your right you can do ALOT more then you should.
I am working on a solution for our network right now but I currently dont have to time to implement my ideas.
It isnt priority for me either, but this client of ours is a school system, so once a student figures this out, this spells trouble. They can do alot of damage in a few mins of this elevated privledge level.
 

ZeroHour

ho3 ho3 ho3
#7
LOL I manage a school network too.
Damn evil kiddies ;)
I will post as solution when I find the time. As long as they cant install a lot of the risk is minimal.
 

Members online

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,962
Messages
673,240
Members
89,017
Latest member
loxioalix