Recommended Posts

You make them a normal user on the computer. That is how you do it. If they use a boot disk to get around it, set a bios password and put security screws on the case so they can't open it. If they continue to break policy it is grounds for termination or removal of computer rights (at least that should be in your policy).

Power users does not allow you to add admins to the computer. You would need to be an admin or a group that has local admin rights. Or a boot disk like the free hirens disk that you can download and boot off of.

"We had user today add themselves as a local admin,"

As sc302 mentions "boot disk to get around it, set a bios password"

If I have physical access to the box - I can just boot one of many different tools to change the local admin account password. Log in with that for what I need, or log in with that and then give whatever other account I want local admin as well.

You can not prevent that from happening with a gpo.. The box would have to be setup with a bios password to prevent booting from removable media, be it cd or usb, etc. And you also need to prevent pxe - or I could just boot the tool I need to change the local admin password via pxe if so desired, etc.

  • Like 2
  On 24/01/2013 at 22:06, bowl443 said:

Windows 2008 domain with domain controllers running '08 R2.

We had user today add themselves as a local admin, giving himself full rights to that machine on a Windows 7 machine.

How can I prevent this with a GPO?

Group Policy Preferences. This will properly layer over multiple GPO's targeting the same group.

Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups.

Create a "New Local Group" and from the drop down caret under Group name: select "Administrators (built-in)

Checkmark "Delete all member users"

Checkmark "Delete all member groups"

Now select the "Add" and then "..." buttons to query for domain groups or user objects. Do not type in the Name: field manually unless you are defining a local computer user or group object that will still be a member, otherwise you may not properly attach the domain object SID to the GPP. You may wish to add the local computer "Administrator (built-in)" user to this group.

Under the Common tab you should select "Remove this item when it?s no longer applied." and select "No" so that all members added to the group are removed when the GPO no longer is used against the computer. Beware that if you do not have a higher level GPO that automatically adds a local Administrator to this group that it is possible to remove all Administrators from a computer.

Beware on using "Delete all local users" against servers. You will discover scenarios where your GPO will cease to function on servers containing certain roles (I believe it involves the Configuration Manager agent being present), and then you may have almost everyone trapped out of the server until you create a lower level GPO that fixes the issue and wait for your GPO refresh timer to execute. In this particular case if you need to control local users, have a parent GPO control removal, and a layered GPO control the actual members. It'll scream at you in the event logs when Delete all local users fails to function.

If you do this, even if someone adds an account to the Administrators group, your next GPO refresh will undo the change. If someone adds a user to the group while the machine is offline, the GPO refresh at startup will likely remove the user from the group before or during logon. People who know how to launch PowerShell under the System context of the Logon screen however will be able to defeat this GPO. If you really want to prevent offline attacks, use BitLocker, but BitLocker will not defend against an online attack that enables a CLI to work at the logon screen.

As I recall, this GPP has no effect against built-in groups on Domain Controllers.

  • Like 3
  On 24/01/2013 at 22:51, Kaedrin said:

Group Policy Preferences. This will properly layer over multiple GPO's targeting the same group.

Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups.

Create a "New Local Group" and from the drop down caret under Group name: select "Administrators (built-in)

Checkmark "Delete all member users"

Checkmark "Delete all member groups"

Now select the "Add" and then "..." buttons to query for domain groups or user objects. Do not type in the Name: field manually unless you are defining a local computer user or group object that will still be a member, otherwise you may not properly attach the domain object SID to the GPP. You may wish to add the local computer "Administrator (built-in)" user to this group.

Under the Common tab you should select "Remove this item when it?s no longer applied." and select "No" so that all members added to the group are removed when the GPO no longer is used against the computer. Beware that if you do not have a higher level GPO that automatically adds a local Administrator to this group that it is possible to remove all Administrators from a computer.

Beware on using "Delete all local users" against servers. You will discover scenarios where your GPO will cease to function on servers containing certain roles (I believe it involves the Configuration Manager agent being present), and then you may have almost everyone trapped out of the server until you create a lower level GPO that fixes the issue and wait for your GPO refresh timer to execute. In this particular case if you need to control local users, have a parent GPO control removal, and a layered GPO control the actual members. It'll scream at you in the event logs when Delete all local users fails to function.

If you do this, even if someone adds an account to the Administrators group, your next GPO refresh will undo the change.

As I recall, this GPP has no effect against built-in groups on Domain Controllers.

The damage is already done at that point. There is no gpo that prevents this.

  • Like 2
  On 24/01/2013 at 23:05, sc302 said:

The damage is already done at that point. There is no gpo that prevents this.

Depends what the actual story is, which the OP barely gave details on. What I described helps mitigate. (BTW, you responded to my original message prior to a bit of editing)

To prevent offline attacks, the only real "solution" is to manage the machines with BitLocker, a TPM, and Network Unlock.

A BIOS System password is only effect against "some" computers with properly designed firmware. A large majority that I've encountered do not block the F12 (or equivalent) firmware/BIOS boot menus even if a System password is present, including some of Dell's business line machines. Only some actually require authentication if a system password is present. I have some Precision workstations that do intrusion detection great, but only a BIOS user password will prevent a user from calling on the boot menu (and of course block them from using the computer at all without support). I don't believe any vendor is 100% consistent across their motherboard models when it comes to securing its BIOS/Firmware boot menu.

Also, when properly managed, "BitLocker+TPM+Network Unlock" is the better solution than any firmware block or physical lockdown because it requires the end user actually have technical skills. They need to have successful online attacks before an offline attack becomes possible. At this point most failures will be the result of desktop mismanagement.

Obviously it?s a bit trickier on mobile systems, as Network Unlock likely becomes impossible and you have to replace it with +PIN/+USB.

Sorry for the brevity in the OP. I hammered out the question before leaving the office for the day. I probably should have waited until I had all the details before posting. An area tech called me with the problem and the details were vague.

It is my understanding that the user launched the user account applet and made the changes. I was hoping that there was a GPO that disabled access to that particular applet.?.

Thanks for the responses.

When I get to work tomorrow morning I'll set up a test user with the same privilages and try it out and see if I can figure out how he did what he did.

  On 25/01/2013 at 02:39, bowl443 said:

It is my understanding that the user launched the user account applet and made the changes. I was hoping that there was a GPO that disabled access to that particular applet.?.

Then the problem lies with your lack of basic security then, nothing GP will fix - you've set his account up as an admin.

Agree with grounds for termination and so on, but also worth pointing out, try and find out what possessed the user to get Admin rights. Did he do it because he is an ass who wants to install some dodgy Facebook games, or is there something wrong with his computer that hasn't been addressed and he was trying to take matters into his own hands to fix it out of frustration?

Kaedrin -- are you talking about restricted groups? Seems like a really long explanation of restricted groups to me. Which sure you can restrict who is in your admins group. And yes that is a great idea and normally an audit requirement anyway..

But if I have local admin - its real easy to block gpo being pushed from the domain..

Now sure if you want to go the encrypted route - this can also prevent the boot tools to change the admin account. But normally your not trying to keep out the elite hackers here.. Your keeping billy joe bob from running some boot tool he found on the net, etc.

But yeah if all he did was launch user manager -- then he had rights in the first place. Does someone have domain users in the Domain Admins group ;)

  On 25/01/2013 at 11:00, BudMan said:

Kaedrin -- are you talking about restricted groups?

Restricted Groups is legacy. They have extremely limited functionality compared to GPP Groups, and as I recall cannot be layered across multiple GPO's. Unless the target is a pre-Vista system, GPP Groups should be used instead. I abandoned Restricted Groups entirely once Vista SP1 & 2008 SP1 were released.

Even if you set a boot bios password to prevent booting from CD the passwords can usually be reset. However if you enforece bitlocker with the key being backed (with hardware TPM) up to AD and only recoverable from AD admins there is no way they can use any off the street tool to add thierselves as Admin. First they would have to have access to the AD and have rights to view the key. Note Admins can still boot and use the recovery MS DART toolsets and reset passwords or whatever with the recovery key. There is no way the user will be able to boot from cd and give himself admin rights.

There is a small chance of privilege level escalations using say a faulty cisco vpn client allowing the users to get system access and then give themselves root from a running machine. Also there is a small chance they could freeze the memory (actualy temp wise) and read the bitlocker key from an additional machine. However the general user with all his "hacker" tools arent' going to bypass a full system encryption (assuming you have a TPM module in place)

You don't say if you do have a TPM enabled machines or not.

However s/he already OWNS this machine. The only way to ensure they don't give themselves rights again is to re-image. As as long as he or she had admin rights to begin with, they may of installed a system level back door that simply gives the right back even after you removed them from the Admin group.

Do you make them sign an user agreement, or if they do have elevated rights a privledged level access agreement?

A little more detail;

This is at a school district and the kid in quesiton is a seventh grader. He renamed the local admin account and changed its password. Those student accounts are not local admins on the computers. After testing it with an account that we copied from his account, the only way he could have done this is with a bootable device, be it a cd, dvd, or usb drive. Thankfully with the security in place, being a local admin doesn't give him any rights on the network or domain. About the only thing he can do differently is install software locally. After going through his internet search history, he is looking for remote viewing software, specifically TeamViewer. He did not install any software though - maybe the bell rang and he ran out of time?

We're hatching a plan to catch him doing it so that we can nail down his process and figure out how much he knows. Maybe a key logger, or remote viewing software - like VNC. He could have used a product like Ophcrack and now he knows the local admin password on all the campus computers.

In the future we'll set the bios to only boot to the SATA drive and set a password on the bios to prevent changes being made to the boot order.

Any other thoughts/recommendations?

to catch a thief...

http://www.spectorsoft.com

Edit: also on some bios's you can set what devices are allowed to boot from not just boot priority...hitting the option to boot of a different device will yield only what devices you choose (ie, the hard drive).

The other issue is that it is pretty easy to reset this if you can pull the cover off when no one is looking, so putting in a security screw to prevent cover removal without special tools may also help.

If your admin password is simple enough to be cracked locally by Ophcrack in a reasonable amount of time, that's a huge problem. Presumably you have a descent password policy and that is not the case, so I would rule out the student having access to the local admin password for all the machines.

Also, have you heard of Kon-Boot before? Its an extremely simple (and effective) method for gaining access to virtually any local Windows account, including the admin account. It would allow someone to boot from a disc, login as admin, then change the admin password. One could also login to any domain account that has been established on the local computer (i.e. a domain admin, teacher, or other student who logged in and created a profile on that computer), but since Kon-Boot bypasses the password instead of cracking it, the user won't have access to any domain resources.

  On 25/01/2013 at 00:08, Kaedrin said:

Depends what the actual story is, which the OP barely gave details on. What I described helps mitigate. (BTW, you responded to my original message prior to a bit of editing)

To prevent offline attacks, the only real "solution" is to manage the machines with BitLocker, a TPM, and Network Unlock.

A BIOS System password is only effect against "some" computers with properly designed firmware. A large majority that I've encountered do not block the F12 (or equivalent) firmware/BIOS boot menus even if a System password is present, including some of Dell's business line machines. Only some actually require authentication if a system password is present. I have some Precision workstations that do intrusion detection great, but only a BIOS user password will prevent a user from calling on the boot menu (and of course block them from using the computer at all without support). I don't believe any vendor is 100% consistent across their motherboard models when it comes to securing its BIOS/Firmware boot menu.

Also, when properly managed, "BitLocker+TPM+Network Unlock" is the better solution than any firmware block or physical lockdown because it requires the end user actually have technical skills. They need to have successful online attacks before an offline attack becomes possible. At this point most failures will be the result of desktop mismanagement.

Obviously it?s a bit trickier on mobile systems, as Network Unlock likely becomes impossible and you have to replace it with +PIN/+USB.

A firmware password would be used to stop the booting off of cd/dvd so they cant boot up a password change dvd

"he knows the local admin password on all the campus computers."

While I agree the password should be of significant strength to prevent bruteforce/rainbow tables, etc. You should also not have the same password on every device. They should all be different.

I use to just run a script to change the local admin password on every single machine in the domain. It was a random 20 digit that just dumped out from online password creator - http://www.pctools.com/guides/password/ I just pop these into my script and store in our password log.. Rare that was ever needed, you normally just used your own account that had local rights on all the machines, etc. Only in the case that boxes trust got messed up with the domain or something would you have to use local admin.

This also allowed us to give out local admin in the worse case scenario user was offline and something when wrong where you had to walk him through something with admin rights.. All you gave him was his box, and next time he his box was on the domain you would change it, etc.

BudMan, that's a really cool idea! None of the companies I have worked for have done that, but they probably should have. That seems like a much better method than generating a strong local admin password that must be changed once every three months. Everyone in IT basically uses their domain admin privileges anyway.

we had to change them every 3 months as well ;) Which is why the script!! It unrealistic to think you could change password if you had to touch every machine.. And your going to typo it for sure as well ;)

Might not have been that bad on the 50 some local servers, but not going to do it on the 900 plus user boxes.. And what about laptops that rarely come into the office etc.. Just needed to catch them while they are online via the vpn and 2 seconds there you go their local admin is changed.

Oh they were secure as well -- other guys use to bitch if they ever had to use them, or even the domain admin account which again used random 20.. As you said everyone normally used their personal accounts that had the permissions they needed. But every now and then you would have to break out the domain admin account password from the safe. and **** like this can be a pain to type in #luc&ouk?aqL6#iEwr+e

which is why the phonetics come in real handy ;)

(Hash - lima - uniform - charlie - Ampersand - oscar - uniform - kilo - Question - alpha - quebec - LIMA - Six - Hash - india - ECHO - whiskey - romeo - Plus - echo)

  On 25/01/2013 at 19:23, majortom1981 said:

A firmware password would be used to stop the booting off of cd/dvd so they cant boot up a password change dvd

As I said, there is no guarantee a motherboard actually secures the boot menu just because you set a firmware password. There is no consistent behavior across motherboards even from Dell. If you have 6+ generations worth of different computers, I?m sure that less than half of them will actually behave the same way. Some will ask for authentication, and some won?t care that there is a password and will simply always allow the boot menu to function.

Give an example of something that allows you set a firmware password but does not allow you to lock down the boot, or still allows access to the boot menu.

Remove everything but the hdd from boot option, turn off feature to access boot menu, set password.

Even if the boot menu is available, if you alter the boot options then set a password on the firmware you should be good. I don't recall ever in the 30+ years in working/playing with a computers -- once they starting adding bios passwords ;) Not having the ability to lock out what the computer could boot from.

Shoot most users can not figure out how to change the boot order when firmware is NOT locked ;) Or for that matter press F# the system even flashes on the screen that says to change boot order.. So just the fact of changing the boot order to not boot cd/dvd/usb/pxe before the hard should keep most users from being able to run the boot tools.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • That's nice and all. but I generally just stick with Lutris paired with 'ge-proton' (which gets updated fairly often (June 1st was last update) as the 'ge-proton' entry in Lutris uses stuff here... https://github.com/GloriousEggroll/proton-ge-custom/releases ) and the like to play my games. p.s. if a person wants to stick with a specific version from that link you can download a specific version and extract it to "~/.local/share/lutris/runners/proton/". then select it in Lutris options on game shortcut is the basic idea. because by default the standard 'ge-proton' entry will automatically get updated which can occasionally cause issues even though it's usually fine. but manually setting it on a specific version will prevent the standard updates on 'ge-proton' from messing with it on a particular game you may have issues with if that gets updated etc. one good example of the 'ge-proton' updates messing with a game in particular is the offline version of RDR2 1491.50 as I setup a specific version there and after removing the 'vulkan-1 (native)' entry in 'Wine configuration' on 'RDR2.exe' entry (if you don't remove this the game won't start up) is when the 'ge-proton' updates, it will restore that 'vulkan-1 (native)' entry and prevent the game from working. you can always remove the entry on the RDR2.exe in Wine configuration specifically after updates, but doing that everytime that updates will get old quickly. hence, keeping it on a specific GE Proton version stops me from having to mess with it as then you just adjust it once and you are done with it. also, when using 'bat' files to start a game (like Hitman: WoA for example using Peacock etc) I had some issues with GE Proton after '9-27', so I got the game locked to '9-27' (April 1st) instead of the newer ones (10-1 etc).
    • Sam Altman says AI could soon help with discovering new knowledge by Hamid Ganji OpenAI is currently at the forefront of developing powerful AI models, while its ChatGPT product is rewriting our traditional way of looking for new information. The company's CEO, Sam Altman, now says AI could even help humans discover new knowledge. He also described AI agents as junior employees. Speaking at the Snowflake Summit 2025, Altman boasted that AI agents can act like junior employees, saying, "You hear people that talk about their job now is to assign work to a bunch of agents, look at the quality, figure out how it fits together, give feedback, and it sounds a lot like how they work with a team of still relatively junior employees." OpenAI CEO also added AI agents could help humans discover new knowledge in "limited cases" or "figure out solutions to business problems that are kind of very non-trivial." While the use of AI for scientific discovery is still viewed with skepticism, the technology has proven its capabilities for new discoveries in several cases. For example, the Microsoft Discovery platform, designed for accelerating scientific research and development by AI agents, was recently able to discover a new chemical for cooling data centers in just 200 hours, a process that normally takes years to research and complete by humans. AI firms are also shifting their focus toward developing AI agents capable of performing various tasks. OpenAI recently unveiled Codex, which contains AI agents for helping programmers write and debug code. According to Altman, OpenAI engineers are already using Codex. As AI agents become more intelligent, more employees should be concerned about losing their jobs. Companies have already started replacing some specific roles with AI. For example, Duolingo has replaced its contract workers with AI, while Shopify managers need to provide reasons why AI cannot handle a job before seeking approval for new hires. Via: Business Insider
    • I personally don't think there will be many survivors past the ESU date, but I can be wrong🙂 >Firefox still supports Windows 7 (until the end of August), which will be just over 16 years since release. Well, yes, but it's an ESR version, which kind of doesn't count as fresh for me. So the last mainline version of Firefox with W7 support was 115, which was released in 2023, exactly around the W7 ESU expiration.
    • Hey, sounds like it’s definitely time for an upgrade. The R7000 had an excellent run! If you want lots of wired ports and future-proofing, the Asus RT-BE88U is a killer choice. It’s got 2x 10GbE, 4x 2.5GbE, and handles WiFi 7 like a champ. Super fast, stable, and the ASUS firmware is solid with loads of features. The TP-Link BE900 is also great, sleek design, strong performance, and a combo 10G port (RJ45/SFP+), but it has fewer wired ports than the Asus. Netgear RS700S is powerful too, but the firmware isn’t as flexible and only has one 10G port. It might feel familiar from your R7000. If wired ports are a big deal, maybe adding a 2.5G or 10G switch later gives you more options. My vote is RT-BE88U all the way.
    • WhatsApp beta users can now craft their own AI chatbots - here's why you might want one by Paul Hill Since the end of 2022, tech companies, and even non-tech companies, have been clamoring to pile AI into their services. Despite what many people say about not liking AI, plenty of people are still using it every day, making it a key offering. Not only that, but for public companies like Meta, the inclusion of AI does very well with investors, so that’s another reason it’s being added. While the most common chatbot people talk about is ChatGPT, which is pretty faceless, there is demand for AI chatbots with a face, this is why people use tools like Character.ai and Replika. One of the only big tech firms that has gone down this route is Meta, which lets you create and share AI characters. To date, some of Meta’s apps, like Messenger, allow you to chat with these AI personas but you can’t do that yet in the stable version of WhatsApp. The company is now testing it with the Android Beta and when it’s ready, it should make a more seamless experience across Meta’s applications. Many of the popular bots that people use including ChatGPT, Gemini, and DeepSeek are faceless and offer the same tone out of the box. To be fair to Gemini, it does allow all users to create Gems now, and they actually offer a bit more flexibility than just creating characters to talk to like in Messenger. The chatbots in Messenger have the benefit of being in the Messenger app, which most people use and giving them a personality and making them feel like an “AI person” fits better in Messenger. Whether we really need these AI bots in Messenger is still up for debate. It’s quite a new feature and some people may find some good uses for them, but as mentioned, they don’t seem as flexible, or provide as detailed responses as custom bots made on Poe or Gemini Gems. They are definitely for having casual conversations with. WhatsApp's new AI chatbot creator We’ve known that the chatbot feature was coming to WhatsApp for a long time already. WhatsApp beta for Android 2.25.1.26, released in January, included the feature for some beta testers. With the latest WhatsApp beta for Android 2.25.18.4, it seems like WhatsApp is trialing the feature with members of the public, suggesting its release is imminent. Screenshots of the app, obtained by WABetaInfo show that you can describe your AI, select its personality, its traits, its image and more. The process seems to be the same as the process already available in Messenger. One of the nice things that Meta provides when creating these AI bots is templates and suggestions such as the attitude of the bot or the instructions for the bot. This is the same as in Messenger and allows you to get started chatting with your custom bots faster. In terms of sharing, you have the option to make the bots private, share them with friends (at least in the case of Messenger and presumably WhatsApp), or share them publicly. If you make something specific for your needs then the private option would be best, while bots with mass appeal could be set to public. Creating bots in WhatsApp is straightforward once you have access to the AI Studio. During the creation process you’ll need to name your AI, define its personality, choose a tone, design an avatar (some will be made for you with Meta’s AI), and create a catchy tagline to attract users if you ever set it to public. Much of the information will be pre-filled based on the initial details you provide about the AI’s role and personality. Some ideas for bots that you can create include a motivational coach, a travel recommendation AI, or a daily planner. While setting up these AI bots is easy to do, users may find their actual benefits limited. Besides the nagging feeling that you’re socializing with a clever bit of code, Meta seems to truncate the answers of these bots so they don’t rattle on, but depending on what you want them to do, you may need them to give a lengthy response, but they won’t. What personalized AI chatbots could offer If you are looking for an AI that chats to you conversationally like real people do, then this could be the feature you’re looking for. The fact that you can personalize bots with specific traits is something you can’t do as easily in apps like ChatGPT and Gemini and the fact that they have an avatar makes them more connectable too. Two of the defining features of Meta’s AI implementation is the ability to create custom AIs with a unique personality and to share them publicly. If you are having difficulty thinking of what a bot could be instructed to do, you can easily find community bots and interact with those instead and may find they provide some value. While these bots could be interesting for some people, they do carry the same risks as other AIs and that is that they can hallucinate. There was also a case in the UK where a man had been encouraged by his Replika to break into Buckingham Palace with a crossbow to kill the then head of state. Similar issues to this could result from Meta’s AI chatbots in time. Potential pitfalls While the feature is pretty interesting there are some things to be aware of. Firstly, the feature is still in beta on WhatsApp so you may run into issues and things could change once it’s finally released. Meta also states that it uses your interactions to improve its AI services, for this reason it is essential not to share personal information as Meta could read it. While Meta does limit the creation of bots that go against its standards, the company also warns that bots can output harmful content, so this could be dangerous for impressionable people who end up acting on what an AI has said with negative outcomes. What to watch for next It’s not clear when these AI chatbots will be available in the stable channel but given that a wider rollout is underway among beta users perhaps we are not too far off. For most people, this is not going to be a must-have feature, just a nice to have. We’ve been using WhatsApp to chat with friends for years, so clearly the app is just fine without the inclusion of AI, but when it’s available, people may be able to get more value out of the app. When the feature launches for all users, bots should be discoverable in the same way they are on Messenger where they’re categorized by category allowing users to begin chats easily. It remains to be seen how users will interact with this feature in the long-run. Last year, we reported that Meta was looking to give bots profiles on its social networks and this was met by somebacklash in our comments section.
  • Recent Achievements

    • First Post
      nothin earned a badge
      First Post
    • Enthusiast
      Epaminombas went up a rank
      Enthusiast
    • Posting Machine
      Fiza Ali earned a badge
      Posting Machine
    • One Year In
      WaynesWorld earned a badge
      One Year In
    • First Post
      chriskinney317 earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      186
    2. 2
      snowy owl
      130
    3. 3
      ATLien_0
      129
    4. 4
      Xenon
      119
    5. 5
      +FloatingFatMan
      93
  • Tell a friend

    Love Neowin? Tell a friend!