GPO Being Applied - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Closed Thread
 
Thread Tools Display Modes
 
Old 03-15-2006, 09:14 AM   #1 (permalink)
Junior Techie
 
Join Date: May 2005
Posts: 96
Default GPO Being Applied

Hi Everyone,
Just a quick question. I was wondering what User account AD uses to apply policies to a certain PC. Does it use the System account?

Thanks
__________________

Brain is offline  
Old 03-15-2006, 10:39 AM   #2 (permalink)
It's all just 1s and 0s
 
office politics's Avatar
 
Join Date: Jan 2004
Location: in the lab
Posts: 6,555
Send a message via MSN to office politics
Default

why do you ask?

when a machine logs onto the network, it requests the security policies to the machine from AD and applies them. Its a function of the OS. I never ran across which account applies these changes in my studies.
__________________

office politics is offline  
Old 03-15-2006, 10:46 AM   #3 (permalink)
Junior Techie
 
Join Date: May 2005
Posts: 96
Default

The reason I ask is because a former network admin with our company published a GPO to the domain which had many bad affects on the Permissions to the C drive. We were looking at using a GPO to reverse the changes, but we werent sure what account if any GPO would need to use on the local account to apply the policy. For instance, if all permissions were removed from the C drive, would GPO still be able to be applied? More specifically, a GPO that overrides permissions on the C drive.
Brain is offline  
Old 03-15-2006, 10:55 AM   #4 (permalink)
It's all just 1s and 0s
 
office politics's Avatar
 
Join Date: Jan 2004
Location: in the lab
Posts: 6,555
Send a message via MSN to office politics
Default

first, i think adding another GPO to reverse the changes should not be the solution. Then again, I'm not sure how the GPO was able to change permissions on your c drive.

i think you would need a user account with local admin rights and the "fixing" GPO applied.

Will the "broken" GPO still apply? depends on what the GPO is linked to and if the user account has permission to apply the GPO.

You can set certain GPOs to No Override, but it will make your setup more complicated than it needs to be.
office politics is offline  
Old 03-15-2006, 11:01 AM   #5 (permalink)
Junior Techie
 
Join Date: May 2005
Posts: 96
Default

Our company is 4000 users, so for the last day or so we have been connecting to the hidden share of each PC that we were able to find using an Analyzer, amd change the permissions, which only takes about 45 seconds per PC, but we would like to atleast test and perhaps roll out, but our first question was if the policy could even be applied to change the permissions if there were no permissions to a certain logon account. The GPO that caused the issues was unlinked within a couple of hours after being applied, so not all computers on our network recieved the bad policy. The original policy was created through security templates, then under rootsec, then the File System directory. I was just wondering if GPO uses a specific User account on the local computer to actually apply the policy, such as the System account. Thanks for the quick replies.
Brain is offline  
Old 03-15-2006, 06:18 PM   #6 (permalink)
Master Techie
 
Join Date: Oct 2003
Posts: 2,258
Default

GPO's are two part. The machine and the user. If they are applied to the machine, they use the system account. if they are applied to the user, they use the user account.

Curious, what change do you need to make on the machine? There are some tools that you can use to change permissions and apply that via a GPO Loginscript to the machine. We do this for installing our antiPest software. Had to write a little virus like script, but it works very well.

Also, best way to test GPO's is by creating a OU to contain the users/machines that you want to test on. They can be under the main OU, so that they still get upper level propigation, but you can apply other GPO's to them directly without effecting other machines/users outside the OU.

Good luck
Inaris is offline  
Old 03-15-2006, 06:29 PM   #7 (permalink)
Junior Techie
 
Join Date: May 2005
Posts: 96
Default

Quote:
Originally posted by Inaris
GPO's are two part. The machine and the user. If they are applied to the machine, they use the system account. if they are applied to the user, they use the user account.

Curious, what change do you need to make on the machine? There are some tools that you can use to change permissions and apply that via a GPO Loginscript to the machine. We do this for installing our antiPest software. Had to write a little virus like script, but it works very well.

Also, best way to test GPO's is by creating a OU to contain the users/machines that you want to test on. They can be under the main OU, so that they still get upper level propigation, but you can apply other GPO's to them directly without effecting other machines/users outside the OU.

Good luck
Thanks for the reply. We just werent sure if when the local PC gets the latest Policy from the domain if it uses some sort of built in local account to make the changes on the system. We werent sure if the domain uses the enterprise admin account to override any conflicting GPOs on the local system, or if it relies on a local account to carry out these changes, or I could be totally off and it uses some sort of other mechanism. Even with a User policy, obviously in most cases the user account that is being logged in does not have access to modify policies in most cases, so how exactly are the the user policies applied? I know this may seem like overkill, but I would really love to wrap my head around it. For instance, if I removed every local, and domain account from any sort of permissions to the winnt directory, and every other directory on the C drive, would a GPO still be able to be applied? My understanding is that a GPO basically either makes changes to the Registry, or system files, but either way wouldnt some sort of account need access to write this data? I appreciate the help everyone.
Brain is offline  
Old 03-15-2006, 09:54 PM   #8 (permalink)
Master Techie
 
Join Date: Feb 2004
Posts: 2,172
Send a message via AIM to Win2kpatcher
Default

Consider the local policy the WEAKEST policy it will ALWAYS be overridden by a GPO. If I recall the order is LOCAL POLICY, SITE POLICY, DOMAIN POLICY, OU POLICY then CHILD OU POLICY. So be sure when applyign the GPO one is not a higher rank than the other as the strictist permission with the higesht order will alwayws win.
Win2kpatcher is offline  
Old 03-16-2006, 06:12 PM   #9 (permalink)
Wizard Techie
 
Join Date: Apr 2004
Posts: 3,247
Default

unless u disable inherited policies.
__________________
If you argue with an idiot he will drag you down to his level and beat you with experience.

I am not a fast writer.
I am not a slow writer.
I am a half-fast writer.

-Robert Asprin
killians45 is offline  
Old 03-16-2006, 08:31 PM   #10 (permalink)
Master Techie
 
Join Date: Feb 2004
Posts: 2,172
Send a message via AIM to Win2kpatcher
Default

Quote:
Originally posted by killians45
unless u disable inherited policies.
Well obviously that would be a given...I say if someone didnt know that they have no business in a AD Env
__________________

Win2kpatcher is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 08:10 AM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.