One thing that might be satisfactory is to restrict access on the GPO to Domain Computers (or some subset) instead of Authenticated Users or Domain Users. This isn't foolproof since someone with admin access to any domain joined computer or the ability to run a task as system can pretty easily impersonate that computer, but hopefully that will be fairly limited.
-----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Friday, January 06, 2012 2:56 PM To: NT System Admin Issues Subject: Re: GPO reset of local non-builtin accounts On Fri, Jan 6, 2012 at 9:31 AM, David Lum <[email protected]> wrote: > A casual user won't be perusing Sysvol, and they'll be even less > casual if they can figure out how to get at the password. The problem is, this is an obvious target, since it's a facility in the world's most common operating system. I'm sure people are working on cracking the obfuscation, if they haven't done so already. Once it's reverse engineered, all it takes is one person to post the code, and now every script kiddie and worm on the planet can extract passwords from your GPOs. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
