Home page logo

basics logo Security Basics mailing list archives

Re: Windoze GPO Question
From: "Nikhil Wagholikar" <visitnikhil () gmail com>
Date: Tue, 11 Nov 2008 09:45:09 +0530

Hello Jon Kibler,

I am in total agreement with Steve Armstrong.

Its a good idea to create a separate OU for laptop users (may be a
roaming profile) that have permissions to apply other DHCP settings or
basically change their Network settings.

If your client has remote access (say VPN connectivity to their local
network), then roaming profile is best solution. Let the sales team
login to the domain instead of "This computer".

Nikhil Wagholikar
Practice Lead | Security Assessment & Digital Forensics
NII Consulting
Web: http://www.niiconsulting.com/
Security Products: http://www.niiconsulting.com/products.html

On Tue, Nov 11, 2008 at 1:54 AM, Jon Kibler <Jon.Kibler () aset com> wrote:

Hash: SHA1


This may be slightly off topic, but I have a question about GPO scope.

I have a client that has a bunch of sales people who have laptops. When
they come into their office, they login to the domain. When they are on
the road, they login to 'this computer.'

The problem that the client is seeing has left me scratching my head
about how GP works. What is happening is the client has recently set
some new group policies that do things like specify which name servers
and other network resources a given OU is to use. Now, when these
laptops are taken on the road and the user tries to get Internet access,
it fails. Why? Because the GPO settings are overriding the DHCP settings
on 'this computer'.

What I don't understand is why DOMAIN OU GPOs are being applied outside
the scope of the domain. If you are not logging into the domain, why are
the domain GPOs in effect? This doesn't make sense. Has my client
somehow misconfigured AD?


Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]