Can this be stopped

celticfan11

OSNN Senior Addict
Joined
20 Jan 2003
Messages
744
So i figured this out.

If i login as a test student (who is locked down VIA Group Policy):

As soon as it accepts the username and password, i unplugg the network cord. It logs in. I then plug the network cord back in. I am now at MUCH higher elevated privledges then i should be. This defeats ALL GPOs except computer GPOS. How can this be prevented, if possible?

Server 2003 SP2
 

Electronic Punk

willalwaysbewithyou
Staff member
Political Access
Joined
2 Dec 2001
Messages
18,683
Well this would only happen the first time for a very short period.


Basically as the user logs in for the first time they will be using the domain default profile stored in \\{domain}\netlogon (if it isn't there it doesn't exist)

This default profile can have any settings you like and can even use local user policy.

Another solutio would be to use roaming profiles.

GP will also refresh as often as you tell it to as well or can be forced by using gpupdate (there are also tools that will do it remotely as well.
 

celticfan11

OSNN Senior Addict
Joined
20 Jan 2003
Messages
744
Well this would only happen the first time for a very short period.


Basically as the user logs in for the first time they will be using the domain default profile stored in \\{domain}\netlogon (if it isn't there it doesn't exist)


Using this is the only possible solution here. However there is no profile there. So how do i create one and then make it so that is where defualt profiles are pulled from instead of from the local PC?
 

Electronic Punk

willalwaysbewithyou
Staff member
Political Access
Joined
2 Dec 2001
Messages
18,683
Easiest way, or what I have been doing is logging on as a local user, changing all the settings I want to change .. wallpaper, registry tweaks, vbs tweaks, file/folder layouts - anything I could think of.

Logging off, logging on as local admin, going to my computer > properties then copying the folder to C:\Documents and Settings\Default User

This will make it the default user on the PC obviously

If you then copy that entire folder into the NETLOGON folder then thats it!

Also note that any registry changes you make to \HKU\.DEFAULT are not infact being applied to the default user, this is actually the account used by system services etc. or if no one is logged on (ie you can use it specify the wallpaper for the logon screen)
 

ZeroHour

ho3 ho3 ho3
Joined
22 Mar 2004
Messages
1,118
You dont actually get evevated priviledges. You will only get the default which should be "User" level but yes your right you can do ALOT more then you should.
I am working on a solution for our network right now but I currently dont have to time to implement my ideas.
 

celticfan11

OSNN Senior Addict
Joined
20 Jan 2003
Messages
744
You dont actually get evevated priviledges. You will only get the default which should be "User" level but yes your right you can do ALOT more then you should.
I am working on a solution for our network right now but I currently dont have to time to implement my ideas.

It isnt priority for me either, but this client of ours is a school system, so once a student figures this out, this spells trouble. They can do alot of damage in a few mins of this elevated privledge level.
 

ZeroHour

ho3 ho3 ho3
Joined
22 Mar 2004
Messages
1,118
LOL I manage a school network too.
Damn evil kiddies ;)
I will post as solution when I find the time. As long as they cant install a lot of the risk is minimal.
 

celticfan11

OSNN Senior Addict
Joined
20 Jan 2003
Messages
744
LOL I manage a school network too.
Damn evil kiddies ;)
I will post as solution when I find the time. As long as they cant install a lot of the risk is minimal.

Sounds like a plan. And no they cant install, i have them fairly locked down :).
 

Members online

No members online now.

Latest profile posts

hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.
Terrahertz wrote on Electronic Punk's profile.
Yo fellas!
Electronic Punk wrote on Sazar's profile.
Where are you buddy?
Perris Calderon wrote on Electronic Punk's profile.
Hey EP! All good with me, applying for Microsoft MVP right now, should have done this a while ago.

Notifications don't work, I only found your response by coming back to hunt up some threads, if you want, give me your email address so we can keep in touch easier!

Forum statistics

Threads
61,999
Messages
673,426
Members
5,593
Latest member
moussa021