It has been pointed out several times recently on the SF mailing lists that a W2k user with local administrator rights can prevent group policy application on his/her machine and there is apparently nothing the domain administrator(s) can do about it (see http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ms/2003-09/0106.html for an example)
Does anyone know exactly (a) how, and (b) why this is possible? Is there really no workaround other than removing the users from the local Administrators group? I keep discovering W2k machines where end users have been granted local admin rights (yuk!) and I'm trying to convince the relevant domain admins that, while this is an easy way to make legacy software work, it isn't such a great idea from a security point of view... Thanks, James _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
