GPO Being Applied

Status
Not open for further replies.

Brain

Baseband Member
Messages
96
Hi Everyone,
Just a quick question. I was wondering what User account AD uses to apply policies to a certain PC. Does it use the System account?

Thanks
 
why do you ask?

when a machine logs onto the network, it requests the security policies to the machine from AD and applies them. Its a function of the OS. I never ran across which account applies these changes in my studies.
 
The reason I ask is because a former network admin with our company published a GPO to the domain which had many bad affects on the Permissions to the C drive. We were looking at using a GPO to reverse the changes, but we werent sure what account if any GPO would need to use on the local account to apply the policy. For instance, if all permissions were removed from the C drive, would GPO still be able to be applied? More specifically, a GPO that overrides permissions on the C drive.
 
first, i think adding another GPO to reverse the changes should not be the solution. Then again, I'm not sure how the GPO was able to change permissions on your c drive.

i think you would need a user account with local admin rights and the "fixing" GPO applied.

Will the "broken" GPO still apply? depends on what the GPO is linked to and if the user account has permission to apply the GPO.

You can set certain GPOs to No Override, but it will make your setup more complicated than it needs to be.
 
Our company is 4000 users, so for the last day or so we have been connecting to the hidden share of each PC that we were able to find using an Analyzer, amd change the permissions, which only takes about 45 seconds per PC, but we would like to atleast test and perhaps roll out, but our first question was if the policy could even be applied to change the permissions if there were no permissions to a certain logon account. The GPO that caused the issues was unlinked within a couple of hours after being applied, so not all computers on our network recieved the bad policy. The original policy was created through security templates, then under rootsec, then the File System directory. I was just wondering if GPO uses a specific User account on the local computer to actually apply the policy, such as the System account. Thanks for the quick replies.
 
GPO's are two part. The machine and the user. If they are applied to the machine, they use the system account. if they are applied to the user, they use the user account.

Curious, what change do you need to make on the machine? There are some tools that you can use to change permissions and apply that via a GPO Loginscript to the machine. We do this for installing our antiPest software. Had to write a little virus like script, but it works very well.

Also, best way to test GPO's is by creating a OU to contain the users/machines that you want to test on. They can be under the main OU, so that they still get upper level propigation, but you can apply other GPO's to them directly without effecting other machines/users outside the OU.

Good luck
 
Inaris said:
GPO's are two part. The machine and the user. If they are applied to the machine, they use the system account. if they are applied to the user, they use the user account.

Curious, what change do you need to make on the machine? There are some tools that you can use to change permissions and apply that via a GPO Loginscript to the machine. We do this for installing our antiPest software. Had to write a little virus like script, but it works very well.

Also, best way to test GPO's is by creating a OU to contain the users/machines that you want to test on. They can be under the main OU, so that they still get upper level propigation, but you can apply other GPO's to them directly without effecting other machines/users outside the OU.

Good luck

Thanks for the reply. We just werent sure if when the local PC gets the latest Policy from the domain if it uses some sort of built in local account to make the changes on the system. We werent sure if the domain uses the enterprise admin account to override any conflicting GPOs on the local system, or if it relies on a local account to carry out these changes, or I could be totally off and it uses some sort of other mechanism. Even with a User policy, obviously in most cases the user account that is being logged in does not have access to modify policies in most cases, so how exactly are the the user policies applied? I know this may seem like overkill, but I would really love to wrap my head around it. For instance, if I removed every local, and domain account from any sort of permissions to the winnt directory, and every other directory on the C drive, would a GPO still be able to be applied? My understanding is that a GPO basically either makes changes to the Registry, or system files, but either way wouldnt some sort of account need access to write this data? I appreciate the help everyone.
 
Consider the local policy the WEAKEST policy it will ALWAYS be overridden by a GPO. If I recall the order is LOCAL POLICY, SITE POLICY, DOMAIN POLICY, OU POLICY then CHILD OU POLICY. So be sure when applyign the GPO one is not a higher rank than the other as the strictist permission with the higesht order will alwayws win.
 
Status
Not open for further replies.
Back
Top Bottom