Can this be stopped

celticfan11

OSNN Senior Addict
Joined
20 Jan 2003
Messages
744
So i figured this out.

If i login as a test student (who is locked down VIA Group Policy):

As soon as it accepts the username and password, i unplugg the network cord. It logs in. I then plug the network cord back in. I am now at MUCH higher elevated privledges then i should be. This defeats ALL GPOs except computer GPOS. How can this be prevented, if possible?

Server 2003 SP2
 

Electronic Punk

willalwaysbewithyou
Staff member
Political Access
Joined
2 Dec 2001
Messages
18,692
Well this would only happen the first time for a very short period.


Basically as the user logs in for the first time they will be using the domain default profile stored in \\{domain}\netlogon (if it isn't there it doesn't exist)

This default profile can have any settings you like and can even use local user policy.

Another solutio would be to use roaming profiles.

GP will also refresh as often as you tell it to as well or can be forced by using gpupdate (there are also tools that will do it remotely as well.
 

celticfan11

OSNN Senior Addict
Joined
20 Jan 2003
Messages
744
Well this would only happen the first time for a very short period.


Basically as the user logs in for the first time they will be using the domain default profile stored in \\{domain}\netlogon (if it isn't there it doesn't exist)


Using this is the only possible solution here. However there is no profile there. So how do i create one and then make it so that is where defualt profiles are pulled from instead of from the local PC?
 

Electronic Punk

willalwaysbewithyou
Staff member
Political Access
Joined
2 Dec 2001
Messages
18,692
Easiest way, or what I have been doing is logging on as a local user, changing all the settings I want to change .. wallpaper, registry tweaks, vbs tweaks, file/folder layouts - anything I could think of.

Logging off, logging on as local admin, going to my computer > properties then copying the folder to C:\Documents and Settings\Default User

This will make it the default user on the PC obviously

If you then copy that entire folder into the NETLOGON folder then thats it!

Also note that any registry changes you make to \HKU\.DEFAULT are not infact being applied to the default user, this is actually the account used by system services etc. or if no one is logged on (ie you can use it specify the wallpaper for the logon screen)
 

ZeroHour

ho3 ho3 ho3
Joined
22 Mar 2004
Messages
1,118
You dont actually get evevated priviledges. You will only get the default which should be "User" level but yes your right you can do ALOT more then you should.
I am working on a solution for our network right now but I currently dont have to time to implement my ideas.
 

celticfan11

OSNN Senior Addict
Joined
20 Jan 2003
Messages
744
You dont actually get evevated priviledges. You will only get the default which should be "User" level but yes your right you can do ALOT more then you should.
I am working on a solution for our network right now but I currently dont have to time to implement my ideas.

It isnt priority for me either, but this client of ours is a school system, so once a student figures this out, this spells trouble. They can do alot of damage in a few mins of this elevated privledge level.
 

ZeroHour

ho3 ho3 ho3
Joined
22 Mar 2004
Messages
1,118
LOL I manage a school network too.
Damn evil kiddies ;)
I will post as solution when I find the time. As long as they cant install a lot of the risk is minimal.
 

celticfan11

OSNN Senior Addict
Joined
20 Jan 2003
Messages
744
LOL I manage a school network too.
Damn evil kiddies ;)
I will post as solution when I find the time. As long as they cant install a lot of the risk is minimal.

Sounds like a plan. And no they cant install, i have them fairly locked down :).
 

Members online

No members online now.

Latest forum posts

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,011
Messages
673,478
Members
5,607
Latest member
rohitprabhakar