Foo - Long shot - anyone know about windows server 2003?

Hi All,

This may be a really long shot but i'm wondering if anyone in here knows about Group Policy in Windows Server 2003? I currently work in an IT department in a school and children being children want to do all they can to destroy the network so their desktops are locked down nice and tightly by way of Group Policy. Unfortunately with group policy, if you unplug the network cable the second the computer has authenticated with the domain then your policy doesn't get processed and they are left with an unlocked workstation. From here they can pop the network cable back in and get up to all sorts of network related mischief. Is there anyway of stopping this other than implementing local security policies? I was thinking along the lines of group policy settings whereby the machine is forced to use the last group policy it had if a network connection isn't found or perhaps a thirdy party tool of somekind. Anyone know of anything?

Cheers

jonno

Umm. I'm thinking something must be very wrong if the machine is unlocked. I dont know enough about GPO and LSP to be of much help except I've never seen that happen. Im thinking that Guest accounts must be turned on the servers perhaps. That is the only thing I could think of that would allow that to happen.

Are you sure those machines are properly joined to the domain? That REALLY should not be happening...

As long as the admin has joined the pc to the domain the group policy has been passed over. If the adminmade the pc and didn't join the pc to the domain than it will be left waiting for the group policy to be passed. And in reality even once they pop in the cable it should refresh the group policies as the computer sits there.

I would do a couple of things. I will let you look up the details yourself ;)

1 - Restart the pc remotely. This will force it to join correctly. Hopefully the user is dumbfounded enough to not take the cable out.
2 - When building the pc (imaging?) figure out how to set the group policy refresh in the registry. As soon as the pc turns on in 5 minutes (if thats what you want) it will continue to refresh the GPO. Or...two fold attack remotely change the registry and force a restart. no matter what the person does (unless they change the gpo as it is rebooting) the gpo will be forced out.
3 - There are 3rd party tools that allow you to push the group policy onto a pc remotely regardless of what the user attempts to do.
4 - if the pc happens to not be part of the domain (sounds likely) force a remote joining to the domain, then it will reboot and blamo - GPO passed

The second the GPO has been refreshed it will never go away regardless of network connectivity.

Are you concerned with local security on that station alone when they disconnect the cable? Or are you trying to enforce security with access to the network domain? Either way, you want to turn off the cached logon information.

http://support.microsoft.com/kb/172931

Set the cache registry key to zero:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

ValueName: CachedLogonsCount
Data Type: REG_SZ
Values: 0

You'll also want to set the following in your group-policy:

"Turn off background refresh of Group Policy" = disabled

and CSE to "Process even if the Group Policy objects have not changed"

Cached Credentials are coooooooooool

How is anyone going to learn to google if you just hand them the answer hahaha

Thanks for the suggestions guys. A few things relating to some of the suggestions:

Firstly the machines are all correctly joined to the domain, the computer accounts are all nicely organised on their own OU. It is to this OU that the GPO containing computer configuration settings is linked.

If you configure the GPO to enforce a refresh of GPO settings every 5 minutes or whatever that's all well and good except the users don't get that GPO if they have pulled their network cable out.

One route i have been looking at going down, albeit very long winded is to assign all the users roaming user profiles, when they have roaming user profiles you can mark a setting in Group Policy that will log them off if their Roaming profile is unavailable. If they pull their network cable out their profile is made unavailable and as a result they are logged off.

The romaing user profile business seems to be skirting the issue somewhat so i don't really want to implement it as a permanent solution. I think as per maelstrom's 3rd suggestion i will see what i can do about finding a 3rd party piece of software that i can use to force the policies out to computers every couple of minutes to any computers that are logged onto the network.

If you configure the GPO to enforce a refresh of GPO settings every 5 minutes or whatever that's all well and good except the users don't get that GPO if they have pulled their network cable out.


True but then they cant work. The point to forcing a refresh is when they do attach within a short time it will put the GPO on the computer. If it doesn't there is something else wrong.



One route i have been looking at going down, albeit very long winded is to assign all the users roaming user profiles, when they have roaming user profiles you can mark a setting in Group Policy that will log them off if their Roaming profile is unavailable. If they pull their network cable out their profile is made unavailable and as a result they are logged off.

The romaing user profile business seems to be skirting the issue somewhat so i don't really want to implement it as a permanent solution. I think as per maelstrom's 3rd suggestion i will see what i can do about finding a 3rd party piece of software that i can use to force the policies out to computers every couple of minutes to any computers that are logged onto the network.

I have had very little luck with roaming profiles. In theory they should kick ass, but instead I found them....tedious. Likely due to using citrix, but for my environment it didn't work. Since you are attempting such a long winded solution why not go to each pc and create some local policies and being enforcing those on each new image. At least that way the most fundamental rules will be enforced regardless of hwo it is attached to the network