Corporate Laptop XP2 Security Issue

FrankJH · 2 Sep 2008 at 19:19

Had a situation today with a home user's corporate XP SP2 laptop

Domain security normally doesnt allow Windows Update site to work (IT do this every quarter with a special AD OU)

local admin account was locked out
you could manage (through MY Computer properties/manage) the laptop from another PC on the network but no new admins could be applied
My network admin had permissions like a normal user (ie so I couldnt even take it off the domain etc)
GPUpdate wouldnt actually register the move from the standard OU to the Windows Update OU
HDD is encrypted so standard BART CD/bootable cd password hacks dont work

From a user perspective it works ok, but for any admin task its a nightmare

Short of a complete re-install anyone got any ideas?

GarethDW · 3 Sep 2008 at 01:32

Could maybe try using the NT Offline Password & Registry Editor to unlock the local admin account.

http://home.eunet.no/~pnordahl/ntpasswd/

eXor · 3 Sep 2008 at 07:56

GarethDW said:
Could maybe try using the NT Offline Password & Registry Editor to unlock the local admin account.

FrankJH said:
HDD is encrypted

How is the HDD encrypted? TrueCrypt? Can't you just ask the user for the password?

Rhys · 3 Sep 2008 at 09:58

Id just blat it and start afresh. Just back it up first.

m4cc45 · 3 Sep 2008 at 10:21

New OU with updated members of the Administrator group?

Are you sure its a member of the domain? Who is in the Admins group?

M.

FrankJH · 3 Sep 2008 at 17:11

GarethDW said:
Could maybe try using the NT Offline Password & Registry Editor to unlock the local admin account.

http://home.eunet.no/~pnordahl/ntpasswd/

Its encrypted with Pointsec / AES (or Checkpoint if you know it as that) so the NT Offline boot disk doesnt see it as an NTFS Partition

Isnt an issue about the User - they can do everything they need, but we cant update the policy to to the Windows Updates and other stuff, the User (who is a local admin) also doesnt have permissions to change domain etc - ie thinking a new SSID might solve the issue

m4cc45 said:
New OU with updated members of the Administrator group?

Are you sure its a member of the domain? Who is in the Admins group?

Myself and my colleagues are domain admins - and it certainly looks like the laptop in question is a member of the domain but one of my colleagues is also in the local admin group as an Admin, but even that account had no rights to change the domain details etc

We hadnt thought of creating a new OU - but if the machine isnt taking the properties of the Windows Update OU, why would it take the properties of a newly created one?

I think we are going to have to rebuild it from fresh as suggested, really frustrating though

m4cc45 · 3 Sep 2008 at 18:44

I guess the only reason it wouldn't take the rights is if it was reading of another DC and it hadn't propogated to that (though if you only have one DC this is obviously not the case)

Another reason is that there are local settings set rather than using group policies.

Get the user who is an admin on there to open the local policies MMC:

1.Click Start, and then click Run.
2.In the Open box, type mmc, and then click OK.
3.On the File menu, click Add/Remove Snap-in.
4.Click Add.
5.Under Available Stand-alone Snap-ins, click Group Policy, and then click Add.
6.If you do not want to edit the Local Computer policy, click Browse to locate the group policy object that you want. Supply your user name and password if prompted, and then when you return to the Select Group Policy Object dialog box, click Finish.

NOTE: You can use the Browse button to locate group policy objects linked to sites, domains, organizational units (OU), or computers. Use the default Group Policy Object (GPO) (Local Computer) to edit the settings on the local computer.

Just because it doesn't seem like he has Admin priviledges means that there is a conflicting GP somewhere.

It might be wise, though, if when you create a seperate OU for the laptop then make a new domain user who is also a member of this OU and then block inheritence. You can then create your restricted groups OU with the new user you created (this basically means that the policy then applying to this laptop is completley new for both user and computer and that you aren't restricted because the user is in a different group and has different policies applied).

Worth a go before you rebuild it.

M.

GarethDW · 3 Sep 2008 at 22:07

Oops, completely missed the part about the drive being encrypted. I fail at reading threads properly

FrankJH · 4 Sep 2008 at 13:08

m4cc45 said:
I guess the only reason it wouldn't take the rights is if it was reading of another DC and it hadn't propogated to that (though if you only have one DC this is obviously not the case)

Another reason is that there are local settings set rather than using group policies.

Get the user who is an admin on there to open the local policies MMC:

1.Click Start, and then click Run.
2.In the Open box, type mmc, and then click OK.
3.On the File menu, click Add/Remove Snap-in.
4.Click Add.
5.Under Available Stand-alone Snap-ins, click Group Policy, and then click Add.
6.If you do not want to edit the Local Computer policy, click Browse to locate the group policy object that you want. Supply your user name and password if prompted, and then when you return to the Select Group Policy Object dialog box, click Finish.

NOTE: You can use the Browse button to locate group policy objects linked to sites, domains, organizational units (OU), or computers. Use the default Group Policy Object (GPO) (Local Computer) to edit the settings on the local computer.

Just because it doesn't seem like he has Admin priviledges means that there is a conflicting GP somewhere.

It might be wise, though, if when you create a seperate OU for the laptop then make a new domain user who is also a member of this OU and then block inheritence. You can then create your restricted groups OU with the new user you created (this basically means that the policy then applying to this laptop is completley new for both user and computer and that you aren't restricted because the user is in a different group and has different policies applied).

Worth a go before you rebuild it.

M.

Thank you for this - really appreciated

However - just for your reference:

Two DC's in operation, but they are identical, and 02 is only in case 01 fails

The normal user in question is a local admin on the domain, yet even defrag isnt permissioned - and I just tried editing the local GP and access is denied

(admittedly this is a second laptop, and a different user - but all the symptoms of the first laptop is identical here also)

Really appreciate everyone's assistance but looks like I will have to rebuild each laptop completely :-(