Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Logon Hours and Local Admin Equivalence
From: William Lowry (William.LowryINTERCEPT.NET)
Date: Tue Oct 26 2004 - 13:58:49 CDT
I've got a 2k domain at my house with a few machines on it, one which my
son has local Admin equivalence (Req'd for that mission critical app
America's Army). I have noticed when he has this access level, that the
logon hours do not necessarily apply. Once authenticated, the GPO to
force him off doesn't work properly. If I manually log the account off,
domain authentication prevents logon, or if I force a local policy to
kick him off, it will only work for that session. (force it with
secedit) . I have this set in both the local and domain policies. It
appears having local god equiv neuters the logout hours...
In short, it appears that if a user on a 2k domain has Admin rights on
the local machine, the account will be divorced from the network, but
will still allowed to stay logged on to the local machine outside of the
explicit hours set, regardless of how Global or Local policies are set.
Once they log out of the machine, life works as expected.
A) Has anyone else seen this behavior, or am I configuration
B) Assuming I'm not policy challenged, would you consider this a
security weakness (flaw), or a design flaw?
C) I don't have a 2k3 domain up yet to test this with, has anyone seen
this behavior on 2k3?
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.