Monday, January 7, 2008

Local Administrator Trumps GPO

Okay, I admit, I'm a big fan of Mark Russinovich. I may be biased because this guy modifed PSExec for me, but I believe he has some great stuff to teach us. His latest Technet blog article is a case in point: http://blogs.technet.com/markrussinovich/archive/2008/01/02/2696753.aspx

I've always assumed that GPO settings I create to manage my organization's desktops and users give me ultimate control. It didn't matter what setting someone changed locally, if I had a contradictory setting in my GPO then it would get changed back in short order. How wrong I have been.

Mark's blog shows local administrators how to use regedit to set permissions that will prevent GPOs from being able to configure their settings. Don't forget that although you may edit GPOs using pretty GPMC templates, the policies only manifest themselves on a local machine by making changes to registry settings. If the system loses its right to change a registry setting then the GPO is essentially neutered. This is not new to Vista - this was also possible in XP.

No comments: