kmaule Absent Member.
Absent Member.
3234 views

local group policy enforcement for Administrator

Hi there,
We are in a NON-DOMAIN environment and have created default policies to lock down the PC's and special policies for admin users that un-do's the default policies. This is working fine for us on our XP SP3 machines.

If a local Administrator, or DLU cached admin account, logs in "workstation only" they are prompted for their ZCM credentials. If a cached admin enters their credentials then they have full rights to the desktop. If they don't enter the ZCM credentials (perhaps no network cable or using the built-in Administrator account), then they are locked down and unhappy.

What have we missed to allow full access to the desktop for members of the local Administrator group?

Cheers,
Kirk
Labels (2)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: local group policy enforcement for Administrator

kmaule,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your problem been resolved? If not, you might try one of the following options:

- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your Novell Product Support Forums Team
http://support.novell.com/forums/

0 Likes
mattmajewski Absent Member.
Absent Member.

Re: local group policy enforcement for Administrator

if you have cached a policy locally and the machine cant authenticate anywhere to get a new policy it it uses what it has.(a locked down policy)
0 Likes
kmaule Absent Member.
Absent Member.

Re: local group policy enforcement for Administrator

mattmajewski;1923222 wrote:
if you have cached a policy locally and the machine cant authenticate anywhere to get a new policy it it uses what it has.(a locked down policy)


Certainly undesirable behaviour that we do not see with ZFD 7. Anyone got a workaround?
Cheers,
Kirk
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: local group policy enforcement for Administrator

Sounds like this is working exactly as designed and intended.

You configured the PC to be locked down unless authorized to do
otherwise and that is exactly what it is doing. If removing a LAN cable
bypassed that, this would be a very bad thing.

The best "Solution" is to logon with their cached credentials which
gives them proper rights.

However, you could set a System Requirement for the Group Policy for
something such as "CONNECTED" or "IP SEGMENT". Of course doing this
makes the lock-down policy kinda mute.

Note: If you needed access to the PC which was in a dysfunctional and
lock-downs prevented access, you could boot in "Safe Mode" and use a
local admin account.

On 2/5/2010 9:46 AM, kmaule wrote:
>
> mattmajewski;1923222 Wrote:
>> if you have cached a policy locally and the machine cant authenticate
>> anywhere to get a new policy it it uses what it has.(a locked down
>> policy)

>
> Certainly undesirable behaviour that we do not see with ZFD 7. Anyone
> got a workaround?
> Cheers,
> Kirk
>
>


0 Likes
kmaule Absent Member.
Absent Member.

Re: local group policy enforcement for Administrator

Hi Craig,

Thanks for your suggestions. No luck with the "Safe Mode" boot up even in the "no network" setting the PC is still locked down for local Administrator account.

I tried the workstation only with cached credentials (from DLU) but the PC is still is locked down using ZCM 10.2.2. The relaxed GPO settings do not stay cached for the user (who is a member of local Administrators Group).

The frustration for the customer is that under ZFD 7 the Administrator and members of the local Administrator Group are not locked down.

Cheers,
Kirk
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: local group policy enforcement for Administrator

I presume the DLU account is either Non-Volatile or Cached since they
are logging in as that user while disconnected.

If they log into the PC as the cached user, it is my understanding that
user's policies should then apply. It that is not happening that might
be a bug.

You could still try the System Requirements for the Bundles, but that
lessens security.

ZDM7 actually would have worked the same basic way.
There are not any exceptions for Local Admins to bypass Group Policies.
They may have had the policies configured different such as not being
persistent. But when they are not, they can easily be bypassed by
pulling a LAN cable so that is rarely recommended.


On 2/5/2010 10:56 AM, kmaule wrote:
>
> Hi Craig,
>
> Thanks for your suggestions. No luck with the "Safe Mode" boot up even
> in the "no network" setting the PC is still locked down for local
> Administrator account.
>
> I tried the workstation only with cached credentials (from DLU) but the
> PC is still is locked down using ZCM 10.2.2. The relaxed GPO settings
> do not stay cached for the user (who is a member of local Administrators
> Group).
>
> The frustration for the customer is that under ZFD 7 the Administrator
> and members of the local Administrator Group are not locked down.
>
> Cheers,
> Kirk
>
>


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.