good point. SeTakeOwnershipPrivilege is now about to be removed. You probably are right, it would have been easier to configure at the perimeter...but that is managed by my boss and I don't trust him to do it properly and/or not reverse it accidentally or deliberately
2009/4/24 Ken Schaefer <[email protected]> > Now that it is out there, then it's relatively easy to look them up. > > But in James' case, I can just bring my own copy of cacls.exe (or have a > scheduled job to make a copy of the existing one) and unless SeTakeOwnership > Privilege is removed from the Administrators group I can then get > permissions back to everything that he's just removed. > > If the purpose was to block internet access, then I think it would have > been easier to just configure this on the outbound proxy or router or > firewall or whatever device that's inplace there. > > Cheers > Ken > > ------------------------------ > *From:* Free, Bob [[email protected]] > *Sent:* Friday, 24 April 2009 2:18 AM > *To:* NT System Admin Issues > *Subject:* RE: Restricted groups, where have you been.... > > Before Russinovich blogged it you at least had to have a bit of a clue > about GPO’s to defeat them, now it is trivial…relatively > > > > *From:* Ken Schaefer [mailto:[email protected]] > *Sent:* Thursday, April 23, 2009 12:26 AM > *To:* NT System Admin Issues > *Subject:* RE: Restricted groups, where have you been.... > > > > If they are administrators, they can defeat GPOs given sufficient > knowledge... > > > > Cheers > > Ken > > > ------------------------------ > > *From:* James Rankin [[email protected]] > *Sent:* Thursday, 23 April 2009 5:12 PM > *To:* NT System Admin Issues > *Subject:* Re: Restricted groups, where have you been.... > > For those who can remember the NT4 days, GPOs as a whole are an awesome > admin tool. When I managed an NT4 network with 10,000 users I actually had > batch scripts running overnight that reset the user rights on all DCs and > members servers, checked the local group memberships and altered them back > to a default if they'd changed. Group Policy finally made my life easy. > > I just recently implemented a group policy that blocks internet access on > our few scanning workstations even though the users are admins...a > combination of a false proxy and restrictive file permissions on > inetcpl.cpl, regedit, reg.exe, rshx32.dll and cacls.exe has done the trick. > Power is great!!!! > > 2009/4/22 David Lum <[email protected]> > > …all my life! We are just getting to use this feature and it’s DA BOMB! > Being able to add users to local groups w/out affecting the existing > memberships is awesome! > > > > We are narrowing down how many Domain Admins we have and this feature is * > *hugely** helpful in delegating to non domain admins. > > *David Lum** **// *SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 *// *(Cell) 503.267.9764 > > > > > > > > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
