Tips and Tricks

An Easy Fix for a Sticky GPO Security Problem

Ease the pain by automating account creation.

Group Policy Objects (GPO) provide a powerful way to ensure that users adhere to corporate computing policies. But many organizations may be subject to a security vulnerability stemming from GPO settings used for servers and client computers in Active Directory domains. Fortunately, this security problem has an easy fix.

The problem stems from the Registry changes that occur when you configure a policy under Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options. Most of these settings are simple Registry value changes that affect the computer the GPO targets. That means any user with administrative access to the Registry on the target computer can change the setting, even if the GPO policy configures the setting.

This might come as something of a shock, since Microsoft likes to claim that GPOs are bulletproof, secure, non-tattooing and stable. I won't try to make the case that such claims are 100 percent wrong, but in this case, at least, some education and guidance is in order.

Let's walk through a real-world example to help visualize the issue. Assume you've enabled the "Do not display last user name in logon screen" policy in a GPO that affects all computers and users in the domain, including administrators. When the logon screen appears following the CTRL-ALT-DEL key sequence, this policy removes the username of the last person who logged on to the computer, increasing security by obfuscation. You apply the policy to every user who logs on to the computer, including administrators.

Now the rub: Assume that Joe is the user who uses the computer account named Joe_XP1. Company policy requires users to be local administrators on their own computers so they can install applications and security updates. Therefore, Joe has administrative privileges on Joe_XP1. With this access, Joe can open the Registry editor, find the DontDisplayLastUserName Registry value, and change the value to 0—thus disabling the policy. The next time Joe (or any user) logs on to Joe_XP1, the username will appear in the Username textbox on the logon screen.

What about after the GPO has time to refresh or the computer is restarted? Neither action will fix the problem, because the GPO won't think anything's wrong. The GPO is aware only of the GPO version number, not the actual policy settings of that version. This version number is stored in the GPO and on the computer that it updates. In our example, the Registry value has changed, but not the GPO version number. Since the two version numbers match, the GPO passes on any configurations for the computer.

The solution to this problem is quite simple. A GPO policy, named "Security policy processing," controls how to handle GPO refreshes with regard to version checking. The policy is located under the Computer Configuration|Administrative Templates|System|Group Policy node in the GPO. When configuring this policy you'll see a check box labeled "Process even if the Group Policy objects have not changed." When this is checked, the GPO version is not evaluated for the Security Options settings in the GPO. Instead, all of the settings are configured on the computer as if it were the first time the GPO was being applied. This will occur at every refresh interval (by default every 90 minutes) and every time the computer is restarted.

Other settings to consider include:

  • Use GPOs to deploy software, eliminating the need for users to be local administrators.
  • Use GPOs to disable users from using Registry editing tools.

Even though the default GPOs don't combat local changes to GPO settings, there are GPO settings that can ensure the security is enforced on target computers.

About the Author

Derek Melber (MCSE, MVP, CISM) is president of BrainCore.Net AZ, Inc., as well as an independent consultant and speaker, as well as author of many IT books. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, security and desktop management. As one of only 8 MVPs in the world on Group Policy, Derek’s company is often called upon to develop end-to-end solutions regarding Group Policy for companies. Derek is the author of the The Group Policy Resource Kit by MSPress, which is the defacto book on the subject.


  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.