Group policy for laptop user 1

[SnoopFrogg]

I have implemented several software restriction policies on my network, including one to block Windows Messenger. I have a laptop user who would like to use Windows Messenger when he's at home and off the network. He's told me that when he's off the network and tries to use Messenger, he receives a message indicating that Messenger is blocked and that he should contact his system administrator.

Can he remove the group policy settings when he's off the domain?

[purple]
SnoopFrogg
MCSA+Security - Windows Server 2003
[/purple]

 

[porkchopexpress]

You could use loopback processing in merge mode and then enable it in the local policy.

http://www.microsoft.com/resources/...on/windows/2000/server/reskit/en-us/gp/34.asp

Or install MSN Messenger as this is not affected by the group policy it only affects Windows messenger.

 

[SnoopFrogg]

Thanks for the suggestion- I'll do some research into loopback processing as I'm not too familiar with it. My initial thought: will this allow users to circumvent group policy by implementing local security policies? If I'm understanding loopback processing in merge mode correctly, this will be the case only when they are outside of domain.

I've blocked MSN Messenger, along with several other IM programs, as well :=)

[purple]
SnoopFrogg
MCSA+Security - Windows Server 2003
[/purple]

 

[porkchopexpress]

Well if your users are admins on their laptops then they can mess with policies anyway. If they are not then you may have to look at using MSN Messenger as GP doesn't affect this.

 

[MTVW]

Wouldn't putting the Laptop and other pc's in a separate ou and applying the GP to the ou that you want it on work?

 

[SnoopFrogg]

Porkchop,

This is his personal laptop so he does have admin rights to the computer. Remind me what the order of inheritance is- is it: 1)Site 2)Domain 3)OU 4)Local Security, meaning Local Security settings override others?

If so, then I'll add a path rule in local security to override the GPO setting.

[purple]
SnoopFrogg
MCSA+Security - Windows Server 2003
[/purple]

 

[porkchopexpress]

I think you have that back to front, the local policy is applied first then the OU but using loopback will apply the local user policy again at the end so in that situation the local user policy is in effect. The policies will affect the user but if they are a local admin with reasonable knowledge then they will be able to get around the policies.

Anything set in the user policy on the local machine will be applied even when connected to the domain if you use loopback processing. This is handy as you can have the person logon using the same domain account to laptops as well as desktops but you can enforce a different set of policies on the desktops than you do on their laptop.

I'm not sure i'm explaining this very well so post back if you are unclear what im rabbiting about.

 

[SnoopFrogg]

I tried loopback policy and it still did not allow the user to run Windows Messenger, although he is receiving a different error message that points to a user policy restriction. Here's the error message:

C:\Program Files\Messenger\msmsgs.exe

Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.

I have the following group policies set that are affecting the user's ability to run Windows Messenger:
1. Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules
2. User Configuration\Administrative Templates\System\Don't run specified Windows applications

I believe I'm correct in thinking that disabling the second policy and enabling loopback policy in replace mode will allow the user to run Windows Messenger if he has a path rule in his Local Security policy that lets it run unrestricted.

Ideally, I'd like to let him run Windows Messenger when he's off the network without having to modify my group policy.

Thoughts?

[purple]
SnoopFrogg
MCSA+Security - Windows Server 2003
[/purple]

 

[schtek]

i have heard that messenger and msn messenger 7.5 are different programs why not disable messanger in gpo which you have done, then block ports via script for messenger 7.5 in domain, as he does not log on at home then it won't be blocked at home ???

hope this helps

The most overlooked advantage to owning a computer is that if they foul up there's no law against wacking them around a little.

 

[porkchopexpress]

schtek is correct as i say the policy shouldn't affect MSN messenger only Windows messenger.

 

[drew1701d]

how bout creating a local account to allow the user to log on locally? policy shouldnt affect him then, since blocking out MSN Messenger is User Policy based.

 

[SnoopFrogg]

i have heard that messenger and msn messenger 7.5 are different programs why not disable messanger in gpo which you have done, then block ports via script for messenger 7.5 in domain, as he does not log on at home then it won't be blocked at home ???
I've never used a script to block ports in my domain. Is the script program-specific? Can you point me to a reference?

schtek is correct as i say the policy shouldn't affect MSN messenger only Windows messenger.
I'm blocking MSN Messenger and Windows Messenger. Ideally, I'd like to continue blocking all IM programs.

how bout creating a local account to allow the user to log on locally? policy shouldnt affect him then, since blocking out MSN Messenger is User Policy based.
The user has a local admin account on his laptop. I am using computer and user policies, though. It sounds like I'm going to need to remove the computer policy.

[purple]
SnoopFrogg
MCSA+Security - Windows Server 2003
[/purple]

 

[SnoopFrogg]

I found a solution (and it was under my nose the whole time). Removing the laptop from the domain and adding it to a workgroup allows the user to use the restricted programs. What's great is I don't need to modify Group Policy!

[purple]
SnoopFrogg
MCSA+Security - Windows Server 2003
[/purple]