Preventing users from Modifying Group Policy Settings
How to prevent users from modifying Group Policy.
Group Policy is the administrator’s friend as it lets you lock down security, desktop and user settings on user’s machines and for user accounts. Unfortuantely in some scenarios admins grant desktop users local admin privileges on their machines, either due to application compatibility issues or for specific power needs. And being a local admin on your machine means you can undo many Group Policy settings targeting your machine simply by editing the registry directly.
How can you prevent local admin users from doing this? You can’t actually, but you can force Group Policy settings to be reapplied to target computers even when the actual settings within a GPO haven’t changed. To do this, open the following policy setting in your GPO:
Computer Configuration Administrative Templates System Group Policy Registry Policy Processing
Enable this policy setting and select the checkbox labeled “Process even if the Group Policy objects have not changed”. What this will do is automatically re-apply the policy to the targeted computer during background refresh even though the GPO setting itself hasn’t changed. This means that any registry changes to policy that the local user has made will get undone during background refresh, and hopefully if this happens frequently enough the user will get frustrated and stop trying to circumvent policy.
This solution isn’t perfect, so it should be augemented by mandating in your written security policy that users are not allowed to undo policy settings on their machine, even temporarily. In fact, the foundation for true network security is not technological setttings like these but a clear, comprehensive written security policy that is fairly but consistently enforced. That’s because security is fundamentally a human problem, not a machine one.
Article written by MyComputerAid.com
2003 server - Sep 30, 2008 22:34 - 0 Comments
instant messaging srv records
More In Computers & PC
- Howto secure wordpress
- Simple wordpress upgrade from SSH howto
- permanently delete your facebook account
- Creating a Sound File
- Talking to the Mouse
Microsoft Outlook - Mar 22, 2009 11:22 - 0 Comments
Outlook: Duplicates in Mailbox
More In Computers & PC
- Howto secure wordpress
- Simple wordpress upgrade from SSH howto
- permanently delete your facebook account
- Creating a Sound File
- Talking to the Mouse
Microsoft Desktop, Web browsers and Internet, Windows 2000, Windows 7, Windows 98, Windows Firewall and networking, Windows Vista, Windows XP - Feb 8, 2010 18:09 - 0 Comments
Disable Proxy settings in IE
More In Computers & PC
- Howto secure wordpress
- Simple wordpress upgrade from SSH howto
- permanently delete your facebook account
- Creating a Sound File
- Talking to the Mouse
Leave a Reply
You must be logged in to post a comment.