Sign in to follow this  
Followers 0
sagarun

Prevent Group Policy settings being downloaded from the server

15 posts in this topic

I am connected to a windows 2003 server (I login on the server as a user)..And they have created some restrictions with the administrative templates...(like cannot right click on the taskbar,cannot press winkey+E and lots of craps)

I already breached the server security (got the passes) as well as the clients admin account.... :)

Now how can i prevent this restrictions being downloaded from the server to us............Is there anything i can do with the client ?

0

Share this post


Link to post
Share on other sites

I'm not sure if gpdisable.exe might help. Another thing you could try (assuming that cmd.exe and regedit.exe have been disabled) are hex-edited versions of these executables. There are instructions about how to do that. If you can access cmd and regedit on the local PC when connected to the domain, that might give you a start in undoing the restrictions. Of course, there might be a user agreement in place which expressly forbids users playing around with the network ... expulsion from school, termination of employment etc., so you might want to tread very carefully!

Post back woth your progress - I'll be interested to know what you did and how you got along. As a matter of interest, how did you breach the server security?

0

Share this post


Link to post
Share on other sites

What passes do you have exactly? If you have either the local admin or domain admin you could always run programs on the machine as those.

Do you have access to the command prompt or the run menu? If not you could try making a shortcut or batch file to start c:\windows\system32\cmd.exe or c:\windows\system32\command.com

On the run menu or limited command prompt...

runas /user:adminname cmd.exe

for local admin or

runas /user:domainname\domainadmin cmd.exe

gives you access under the domain admin.

From this administrative command prompt you could start or restart any program you like.

To kill and restart Windows Explorer.

tskill explorer
explorer.exe

There are other solutions to this problem in a domain such as the "netdom" or "net" command but unless you are familiar with active directory I wouldn't suggest trying anything with it.

As the previous poster said. Please don't get expelled from school or fired from work for using this info. Login attempts can be audited in both domains and on local machines.

*Edited for code clarity*

Edited by M0ralGray
0

Share this post


Link to post
Share on other sites

Anything you could do to prevent the GP from propagating to a client box would likely either (1) show up in various logs or error messages available to the *real* admins (e.g. change the GP settings, move the computer/user accounts into different OUs), or (2) render the computer you're trying to sign onto useless (e.g. disconnect from the domain, unplug the network cable).

Just because you think the policies are "craps" doesn't mean that you won't get into major trouble if you're found out. Best bet is to just leave it all alone; if you really feel entitled to use the computer in an unrestricted fashion, then bring some sort of linux liveCD with you and boot to that instead. If nothing else, that has less of an appearance of maliciousness than trying to explicitly subvert/modify existing security policy.

0

Share this post


Link to post
Share on other sites
Of course, there might be a user agreement in place which expressly forbids users playing around with the network ... expulsion from school, termination of employment etc., so you might want to tread very carefully!

Fortunately we don't have such agreements.......Any way as you said i should be carefull.....

Post back woth your progress - I'll be interested to know what you did and how you got along. As a matter of interest, how did you breach the server security?

I used cain to capture the hashes and used 28 GB of halflm rainbow tables to crack them...........

What passes do you have exactly? If you have either the local admin or domain admin you could always run programs on the machine as those.

I login on the domain rather than the local computer.I have both the domain admins password and the local computer's administrator account password....

I can use command prompt but registry editing is forbidden............

I mean, lets say when i compile a c program, the whole operation is done with the help of local computers resource (cpu.ram...)...I use the remote server

only for storing the files (so that i can access them anywhere from the network)...........

runas /user:domainname\domainadmin cmd.exe

Is it possible run any of my own program on the server using above command!

Edited by SAGA
0

Share this post


Link to post
Share on other sites
Is it possible run any of my own program on the server using above command!

Yes if you want to edit the registry you could either use the command i gave previously and type "regedit" from the administrator command prompt

or

runas /user:domain\domainadminusername regedit

I completely agree with mirrorshades though. A Linux live CD might be the best way to get around restrictions without doing any harm. If you mess up the registry the admins will find out about it and probably will have no trouble tracing it back to you. Don't jeopardize your future for something trivial.

0

Share this post


Link to post
Share on other sites

They have disabled usb drives and CD drives......

But the local admin account has no restrictions i am using it.

Initially i login on the domain which has restrictions and then i open command prompt as local admin (runas).....and then kill the explorer and start the explorer from the cmd prompt which is in running as local admin.......

So no problems now

Thanks Guys

0

Share this post


Link to post
Share on other sites
I use thinstall to run apps/games if I don't have admin. I have everytihng on my USB stick 1.2gigs so far :P

thinstall FTW !

Ep:207 operat0r - You are being watched

http://www.twatech.org/agentinfo.php?host=operat0r

Hi operat0r,

I listened to your recorded radio...

As you said by monitoring the processes running i figured out a monitoring software.........thinstall is not free right?

But the audio quality is not good...please stop the music while you speak and increase treble....otherwise good presentation

0

Share this post


Link to post
Share on other sites

If it's true what you say (you have access to the local admin account) then you can remove the machine from the domain all together. After that it will not receive GPO updates as it will not be in the domain. You can basically do anything at this point. Also, if a Windows machine is separated from the Domain server and you're logged in as a normal user the last group policy is still enforced, it doesn't become rendered useless......... It also keeps a cache of the users that were logged onto last so those users are still able to log on to the machine. After a certain amount of time though it starts to have errors with multiple users and temporary profiles. If you bring a live CD they will notice you and they will shut you down, most of the time if they don't know what's going on they will freak out, keep everything nice and windowsy.

Edited by RedAnthrax
0

Share this post


Link to post
Share on other sites
If it's true what you say (you have access to the local admin account) then you can remove the machine from the domain all together. After that it will not receive GPO updates as it will not be in the domain. You can basically do anything at this point. Also, if a Windows machine is separated from the Domain server and you're logged in as a normal user the last group policy is still enforced, it doesn't become rendered useless......... It also keeps a cache of the users that were logged onto last so those users are still able to log on to the machine. After a certain amount of time though it starts to have errors with multiple users and temporary profiles. If you bring a live CD they will notice you and they will shut you down, most of the time if they don't know what's going on they will freak out, keep everything nice and windowsy.

isolating the machine from the domain will prevent other users from logging in isn't?

Any way how to do that in windows xp professional?

0

Share this post


Link to post
Share on other sites

Removing it from the domain would prevent NEW users from logging in, not users that have logged in already, like I said it keeps a cache. To remove it from the domain log on to the the machine locally > right click my computer > properties > click the "Computer Name" tab > click the Change... button > select Workgroup and give it your own workgroup name then hit ok twice and restart. It should not be connected to the domain and receiving GPO updates anymore. Now to change the local group policy settings log on as a local admin and select Run from the start menu and type "gpedit.msc" and from here you have access to the local group policy settings. Also, while you're logged on locally as the admin you can add your normal username to the administrators group by right clicking My Computer > Manage > Local Users and Groups > click on Groups > then double click the Administrators group and add your username. Now you can log onto the machine with your normal username and have administrative access.

0

Share this post


Link to post
Share on other sites
Removing it from the domain would prevent NEW users from logging in, not users that have logged in already, like I said it keeps a cache.

In order to login with cached credentials, don't you have to select the domain from the dropdown list on the login screen? With the computer not being in the domain, you are forced to authenticate to the local machine and are not able to select the domain in order to used cached credentials. I'll be honest, I've never actually tried logging in with cached credentials after a machine is removed from the domain, but I'd be willing to bet you lunch that this wouldn't work.

Another issue is that if the user is required to change their password and then they go to a computer that can't talk to the domain they will have to login with their old password that is cached on the machine.

This may be of use to you:

http://windowsitpro.com/article/articleid/...oup-policy.html

0

Share this post


Link to post
Share on other sites
Removing it from the domain would prevent NEW users from logging in, not users that have logged in already, like I said it keeps a cache.

In order to login with cached credentials, don't you have to select the domain from the dropdown list on the login screen? With the computer not being in the domain, you are forced to authenticate to the local machine and are not able to select the domain in order to used cached credentials. I'll be honest, I've never actually tried logging in with cached credentials after a machine is removed from the domain, but I'd be willing to bet you lunch that this wouldn't work.

Another issue is that if the user is required to change their password and then they go to a computer that can't talk to the domain they will have to login with their old password that is cached on the machine.

This may be of use to you:

http://windowsitpro.com/article/articleid/...oup-policy.html

I agree with your point....

when i logged in on the domain from other department computer centre.. the restrictions are removed..........

So rhe domain enforces set of policies on certain machines (a particular department machines)and leaving other machines...is there any thing in the client side which controls GP ?

0

Share this post


Link to post
Share on other sites
when i logged in on the domain from other department computer centre.. the restrictions are removed..........

So rhe domain enforces set of policies on certain machines (a particular department machines)and leaving other machines...

It's based on the organizational unit (folder) that the computer resides in in Active Directory.

is there any thing in the client side which controls GP ?

You can only stop it if you are an administrator. I remember an older 2600 article that talked about how to stop group policy being applied to your machine. I didn't really read it because it didn't affect me, but after some googling this is the only thing I can find:

http://blogs.dirteam.com/blogs/gpoguy/arch...07/21/1229.aspx

I think the quickest route is for you to try unplugging the network cable like the link above suggests right after you login.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0