Hi Greg,
We'd probably need Jeremy Moskovitz to answer this authoritatively but here's my take.
Server 2003/XP group policies comprise security settings which still use the old NT 4 policy mechanisms. Stuff like user rights, auditting etc all use legacy mechanisms.These are reg hacks and will stick until changed.
Once we get into the area of group policies your mileage will vary. As you know there are 2 types of group policies, unmanaged and managed.
The difference is that the first type are again NT 4 style policies where a non-volatile change gets made to the registry. Quite a lot of the stuff like system tuning etc
Managed group policies on the other hand are transient. They are written to locations like HKLM\Software\Policies and HKLM\Software\Microsoft\Windows\CurrentVersion\Policies for computer configurations and HKCU\Software\Policies and HKCU\Software\Microsoft\Windows\CurrentVersion\Policies. Because they are transient and have to be re-applied on reboot or login, these can be blocked from applying, either be network disconnection or by other more creative means.
For example., Jeremy Moskovitz has a simple script (www.gpanswers.com) that will block GP application, and if you get creative on your laptop and create a value, DisableDFS, reg_dword, 0x1, under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Mup, then you can no longer access the netlogon/sysvol\scripts share and can't download domain logon scripts or group policies. Darn, those GPs don't apply anymore.
But if we get back to the network connectivity issue, if a group policy refresh interval is defined, provided network connectivity is restored the machine group policies will be applied. However please note that most of the security settings have still stuck.
And we can't avoid the small fact that unless I've got access to the console on a terminal server, worrying about what happens if a GP isn't applied because we don't have network connectivity is a shear waste of time. Anyone that starts worrying about security in that scenario doesn't understand the simple fact that if I can't connect it doesn't matter whether the GP will apply to me or not.
So your answer is that you are almost right. Most of the stuff that matters sticks and the stuff that doesn't stick doesn't matter.
regards,
Rick
--
Ulrich Mack
Quest Software
Provision Networks Division
Ulrich Mack
Quest Software
Provision Networks Division
Provided you can log on there is network connectivity and a users GP will apply.
On Mon, Feb 2, 2009 at 6:02 AM, Greg Reese <gareese@gmail.com> wrote:
I admit that as I have been in this career for over 15 years, there may be some things that I still don't understand, or worse, some things that I don't understand as well as I think i do. But keeping an open mind and being willing to learn something from everyone I meet has served me pretty well.
currently, I am having a debate over GPO use with a colleague (for those of you in government work, think "IA asshole").
anyway, the debate is that setting a GPO at the domain or OU level does not properly protect a server because as soon as the the server is unplugged from the network, the settings disappear leaving the server in an unprotected state. So this person nwants us to make all adjustments by hand with local policies. As much as my gut tells me this is wrong, I really don't have anything to back it up with.
I say the settings will stay applied in the absence of the rest of the domain structure or servers being present. But the more I thnk about it, I really don't know how it really works. I am going to setup a test next week but figured it was worth throwing out to all of you.
Thanks!
Greg
No comments:
Post a Comment