If you're using Active Directory, gpo's at the ou level could not be rescinded
by a local admin account. If a normal user logs in with their domain account,
all the site/domain/ou gpo's relevant to that computer and user would apply.
The gpo setting, prohibit access to the control panel, is only available under
the user configuration, and reads that disabling it prohibits users from
starting the control panel. I've tested this and when you try a runas with the
local admin account, the control panel does not open.
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@subway.com]
Sent: Thursday, January 13, 2005 10:11 PM
To: focus-ms@securityfocus.com
Subject: local admin vs group policy and apps...
Hi,
We have two apps (even calling them legacy seems to attribute some
undeserved elegance to them) which must run at admin level to function
properly. I am trying to find out whether the fact that users are allowed to
be local admins, or even given the runas power to run the app can still be
locked out of control panel etc through GPOs.
I mean, if I let people runas then they know the admin password so can
rescind any GP settings, can't they? How can I shut that possibility out?
Yes I have asked for the possibility of then apps being recoded to function
under power users but the development team are of the starving waif variety
due to under resourcing...this consideration is not high on the list.
Kind Regards
Murad Talukdar
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
