Home page logo

basics logo Security Basics mailing list archives

Re: Windoze GPO Question
From: "Salvador III Manaois" <badzmanaois () gmail com>
Date: Tue, 11 Nov 2008 16:11:21 +0800

Hi John,

Some GPO settings (computer- or user-targeted) remain persistent even
when a user is logging in off the corpnet with cached credentials. I
suggest not to use GPOs to define TCP/IP related info such as name
servers to query, gateway, etc; make use of DHCP scope options to
define these instead. When a user logs in (with cached credentials)
out of the corporate network, say via free wifi access inside an
airport, he will get the TCP/IP connection settings from the DHCP
server in the airport which should allow him to browse the internet
and maybe tunnel in to the corporate network to access corporate
resources (email, shared folders, etc.).

And logging in with a local account is a bad idea; these accounts may
not get user-specific restrictions defined for the domain users.
Furthermore, managing these local accounts will add additional
administrative burden to your administrators.


Salvador Manaois III
C|EH MCSE MCSA MCITP|Server/Enterprise Admin
Bytes & Badz : http://badzmanaois.blogspot.com

On Tue, Nov 11, 2008 at 4:24 AM, Jon Kibler <Jon.Kibler () aset com> wrote:
Hash: SHA1


This may be slightly off topic, but I have a question about GPO scope.

I have a client that has a bunch of sales people who have laptops. When
they come into their office, they login to the domain. When they are on
the road, they login to 'this computer.'

The problem that the client is seeing has left me scratching my head
about how GP works. What is happening is the client has recently set
some new group policies that do things like specify which name servers
and other network resources a given OU is to use. Now, when these
laptops are taken on the road and the user tries to get Internet access,
it fails. Why? Because the GPO settings are overriding the DHCP settings
on 'this computer'.

What I don't understand is why DOMAIN OU GPOs are being applied outside
the scope of the domain. If you are not logging into the domain, why are
the domain GPOs in effect? This doesn't make sense. Has my client
somehow misconfigured AD?


Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]