Jump to content


Photo
- - - - -

Prevent Group Policy settings being downloaded from the server


  • Please log in to reply
14 replies to this topic

#1 SAGA

SAGA

    SUP3R 31337

  • Members
  • 175 posts
  • Location:India

Posted 02 August 2008 - 01:26 AM

I am connected to a windows 2003 server (I login on the server as a user)..And they have created some restrictions with the administrative templates...(like cannot right click on the taskbar,cannot press winkey+E and lots of craps)

I already breached the server security (got the passes) as well as the clients admin account.... :)

Now how can i prevent this restrictions being downloaded from the server to us............Is there anything i can do with the client ?

#2 Gregor

Gregor

    elite

  • Members
  • 109 posts

Posted 02 August 2008 - 06:46 AM

I'm not sure if gpdisable.exe might help. Another thing you could try (assuming that cmd.exe and regedit.exe have been disabled) are hex-edited versions of these executables. There are instructions about how to do that. If you can access cmd and regedit on the local PC when connected to the domain, that might give you a start in undoing the restrictions. Of course, there might be a user agreement in place which expressly forbids users playing around with the network ... expulsion from school, termination of employment etc., so you might want to tread very carefully!

Post back woth your progress - I'll be interested to know what you did and how you got along. As a matter of interest, how did you breach the server security?

#3 M0ralGray

M0ralGray

    H4x0r

  • Members
  • 39 posts
  • Location:The Street

Posted 02 August 2008 - 07:43 AM

What passes do you have exactly? If you have either the local admin or domain admin you could always run programs on the machine as those.

Do you have access to the command prompt or the run menu? If not you could try making a shortcut or batch file to start c:\windows\system32\cmd.exe or c:\windows\system32\command.com

On the run menu or limited command prompt...
runas /user:adminname cmd.exe
for local admin or

runas /user:domainname\domainadmin cmd.exe
gives you access under the domain admin.

From this administrative command prompt you could start or restart any program you like.

To kill and restart Windows Explorer.
tskill explorer
explorer.exe

There are other solutions to this problem in a domain such as the "netdom" or "net" command but unless you are familiar with active directory I wouldn't suggest trying anything with it.

As the previous poster said. Please don't get expelled from school or fired from work for using this info. Login attempts can be audited in both domains and on local machines.

*Edited for code clarity*

Edited by M0ralGray, 02 August 2008 - 07:47 AM.


#4 mirrorshades

mirrorshades

    aviatorglasses

  • Agents of the Revolution
  • 951 posts
  • Gender:Male

Posted 02 August 2008 - 08:46 AM

Anything you could do to prevent the GP from propagating to a client box would likely either (1) show up in various logs or error messages available to the *real* admins (e.g. change the GP settings, move the computer/user accounts into different OUs), or (2) render the computer you're trying to sign onto useless (e.g. disconnect from the domain, unplug the network cable).

Just because you think the policies are "craps" doesn't mean that you won't get into major trouble if you're found out. Best bet is to just leave it all alone; if you really feel entitled to use the computer in an unrestricted fashion, then bring some sort of linux liveCD with you and boot to that instead. If nothing else, that has less of an appearance of maliciousness than trying to explicitly subvert/modify existing security policy.

#5 SAGA

SAGA

    SUP3R 31337

  • Members
  • 175 posts
  • Location:India

Posted 02 August 2008 - 09:32 AM

Of course, there might be a user agreement in place which expressly forbids users playing around with the network ... expulsion from school, termination of employment etc., so you might want to tread very carefully!


Fortunately we don't have such agreements.......Any way as you said i should be carefull.....

Post back woth your progress - I'll be interested to know what you did and how you got along. As a matter of interest, how did you breach the server security?

I used cain to capture the hashes and used 28 GB of halflm rainbow tables to crack them...........


What passes do you have exactly? If you have either the local admin or domain admin you could always run programs on the machine as those.


I login on the domain rather than the local computer.I have both the domain admins password and the local computer's administrator account password....

I can use command prompt but registry editing is forbidden............


I mean, lets say when i compile a c program, the whole operation is done with the help of local computers resource (cpu.ram...)...I use the remote server

only for storing the files (so that i can access them anywhere from the network)...........

runas /user:domainname\domainadmin cmd.exe


Is it possible run any of my own program on the server using above command!

Edited by SAGA, 02 August 2008 - 09:32 AM.


#6 M0ralGray

M0ralGray

    H4x0r

  • Members
  • 39 posts
  • Location:The Street

Posted 02 August 2008 - 09:50 AM

Is it possible run any of my own program on the server using above command!

Yes if you want to edit the registry you could either use the command i gave previously and type "regedit" from the administrator command prompt
or

runas /user:domain\domainadminusername regedit

I completely agree with mirrorshades though. A Linux live CD might be the best way to get around restrictions without doing any harm. If you mess up the registry the admins will find out about it and probably will have no trouble tracing it back to you. Don't jeopardize your future for something trivial.

#7 SAGA

SAGA

    SUP3R 31337

  • Members
  • 175 posts
  • Location:India

Posted 04 August 2008 - 01:26 AM

They have disabled usb drives and CD drives......

But the local admin account has no restrictions i am using it.

Initially i login on the domain which has restrictions and then i open command prompt as local admin (runas).....and then kill the explorer and start the explorer from the cmd prompt which is in running as local admin.......

So no problems now

Thanks Guys

#8 operat0r

operat0r

    Dangerous free thinker

  • Members
  • 793 posts
  • Location:ops

Posted 05 August 2008 - 10:40 AM

I use thinstall to run apps/games if I don't have admin. I have everytihng on my USB stick 1.2gigs so far :P

thinstall FTW !

Ep:207 operat0r - You are being watched
http://www.twatech.o...p?host=operat0r

Edited by operat0r, 05 August 2008 - 10:41 AM.


#9 SAGA

SAGA

    SUP3R 31337

  • Members
  • 175 posts
  • Location:India

Posted 05 August 2008 - 11:11 AM

I use thinstall to run apps/games if I don't have admin. I have everytihng on my USB stick 1.2gigs so far :P

thinstall FTW !

Ep:207 operat0r - You are being watched
http://www.twatech.o...p?host=operat0r



Hi operat0r,

I listened to your recorded radio...

As you said by monitoring the processes running i figured out a monitoring software.........thinstall is not free right?

But the audio quality is not good...please stop the music while you speak and increase treble....otherwise good presentation

#10 RedAnthrax

RedAnthrax

    n00bie

  • Binrev Financier
  • 10 posts

Posted 19 August 2008 - 12:29 AM

If it's true what you say (you have access to the local admin account) then you can remove the machine from the domain all together. After that it will not receive GPO updates as it will not be in the domain. You can basically do anything at this point. Also, if a Windows machine is separated from the Domain server and you're logged in as a normal user the last group policy is still enforced, it doesn't become rendered useless......... It also keeps a cache of the users that were logged onto last so those users are still able to log on to the machine. After a certain amount of time though it starts to have errors with multiple users and temporary profiles. If you bring a live CD they will notice you and they will shut you down, most of the time if they don't know what's going on they will freak out, keep everything nice and windowsy.

Edited by RedAnthrax, 19 August 2008 - 12:35 AM.


#11 SAGA

SAGA

    SUP3R 31337

  • Members
  • 175 posts
  • Location:India

Posted 19 August 2008 - 06:43 AM

If it's true what you say (you have access to the local admin account) then you can remove the machine from the domain all together. After that it will not receive GPO updates as it will not be in the domain. You can basically do anything at this point. Also, if a Windows machine is separated from the Domain server and you're logged in as a normal user the last group policy is still enforced, it doesn't become rendered useless......... It also keeps a cache of the users that were logged onto last so those users are still able to log on to the machine. After a certain amount of time though it starts to have errors with multiple users and temporary profiles. If you bring a live CD they will notice you and they will shut you down, most of the time if they don't know what's going on they will freak out, keep everything nice and windowsy.



isolating the machine from the domain will prevent other users from logging in isn't?

Any way how to do that in windows xp professional?

#12 RedAnthrax

RedAnthrax

    n00bie

  • Binrev Financier
  • 10 posts

Posted 19 August 2008 - 04:25 PM

Removing it from the domain would prevent NEW users from logging in, not users that have logged in already, like I said it keeps a cache. To remove it from the domain log on to the the machine locally > right click my computer > properties > click the "Computer Name" tab > click the Change... button > select Workgroup and give it your own workgroup name then hit ok twice and restart. It should not be connected to the domain and receiving GPO updates anymore. Now to change the local group policy settings log on as a local admin and select Run from the start menu and type "gpedit.msc" and from here you have access to the local group policy settings. Also, while you're logged on locally as the admin you can add your normal username to the administrators group by right clicking My Computer > Manage > Local Users and Groups > click on Groups > then double click the Administrators group and add your username. Now you can log onto the machine with your normal username and have administrative access.

#13 Uncue

Uncue

    SCRiPT KiDDie

  • Members
  • 25 posts
  • Location:Raleigh, NC

Posted 20 August 2008 - 12:48 PM

Removing it from the domain would prevent NEW users from logging in, not users that have logged in already, like I said it keeps a cache.



In order to login with cached credentials, don't you have to select the domain from the dropdown list on the login screen? With the computer not being in the domain, you are forced to authenticate to the local machine and are not able to select the domain in order to used cached credentials. I'll be honest, I've never actually tried logging in with cached credentials after a machine is removed from the domain, but I'd be willing to bet you lunch that this wouldn't work.

Another issue is that if the user is required to change their password and then they go to a computer that can't talk to the domain they will have to login with their old password that is cached on the machine.

This may be of use to you:

http://windowsitpro....oup-policy.html

#14 SAGA

SAGA

    SUP3R 31337

  • Members
  • 175 posts
  • Location:India

Posted 20 August 2008 - 03:14 PM

Removing it from the domain would prevent NEW users from logging in, not users that have logged in already, like I said it keeps a cache.



In order to login with cached credentials, don't you have to select the domain from the dropdown list on the login screen? With the computer not being in the domain, you are forced to authenticate to the local machine and are not able to select the domain in order to used cached credentials. I'll be honest, I've never actually tried logging in with cached credentials after a machine is removed from the domain, but I'd be willing to bet you lunch that this wouldn't work.

Another issue is that if the user is required to change their password and then they go to a computer that can't talk to the domain they will have to login with their old password that is cached on the machine.

This may be of use to you:

http://windowsitpro....oup-policy.html


I agree with your point....

when i logged in on the domain from other department computer centre.. the restrictions are removed..........

So rhe domain enforces set of policies on certain machines (a particular department machines)and leaving other machines...is there any thing in the client side which controls GP ?

#15 Uncue

Uncue

    SCRiPT KiDDie

  • Members
  • 25 posts
  • Location:Raleigh, NC

Posted 20 August 2008 - 03:55 PM

when i logged in on the domain from other department computer centre.. the restrictions are removed..........

So rhe domain enforces set of policies on certain machines (a particular department machines)and leaving other machines...


It's based on the organizational unit (folder) that the computer resides in in Active Directory.

is there any thing in the client side which controls GP ?


You can only stop it if you are an administrator. I remember an older 2600 article that talked about how to stop group policy being applied to your machine. I didn't really read it because it didn't affect me, but after some googling this is the only thing I can find:

http://blogs.dirteam...07/21/1229.aspx

I think the quickest route is for you to try unplugging the network cable like the link above suggests right after you login.




BinRev is hosted by the great people at Lunarpages!