Tuesday, February 14, 2012

My first blog post ever - think you enforced your GPOs and you are safe?

Imagine the following scenario: You are administering a wide spread domain, containing lots of OUs. For ease, you delegate GPO adminstration on some OUs to local admins in branch offices. But to maintain corporate guidance, you enforce some GPOs at top level (eg. desktop background and screen saver).

MSDN: GPO evaluation process 

This prevents the "bad guys" in the branch offices to change these corporate settings, right?

Totally wrong.

If you rely on your settings being in place, enforcing is ok. But DO NOT USE ADMINISTRATIVE TEMPLATES!

Here's why not.

Group policy processing is a multi stage process. GPOs have an inheritance order that determines which GPO settings get applied last. And last writer wins. So far, so good. But then, CSEs pop in - the "client side extensions". These are responsible for applying various aspects in GPOs (eg. IE Maintenance, MSI installation and so on).

MSDN: Group Policy Application process

The primary "order" that takes place in GPO processing is the invocation order of CSEs. Each CSE is invoked (in a predetermined order), and then each CSE processes the GPOs containing settings for that CSE. What does that mean for administrative templates?

ADM templates (aka "registry policy") are always processed as the very first CSE. All other CSEs are processed in alphabetical order as found in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions. And ADM templates are just registry values. That concludes that each and every CSE processed afterwards is able to change these registry values, and the contents of your corporate guidance GPOs are overwritten. This applies to: Security policies (gpttmpl.inf can be edited to set any registry value), MSI installations, startup scripts and - worst - Group Policy Preferences "Registry".

MSDN: GPO CSE processing order

(Remark: This article states "The Group Policy Registry Extension MUST always execute first"). That's the only statement I ever found that documents why ADM templates are processed first - regardless of the alphabetical order of their GUID {35378EAC-683F-11D2-A89A-00C04FBBCFA2}.)

How does that interfere with your corporate administrative templates?

You enforce a corporate screen saver policy - timeout, executable and so on. This results in several registry values in HKCU\Software\Policies\Microsoft\Windows\Control Panel. The bad guy creates his own GPO, and there he deploys the exact same registry values - but not through ADM templates, but through GPP Registry. This CSE is called AFTER the ADM templates have been processed, and - you already know that - "last writer wins". Gone are your corporate settings, even although you "enforced" them.

CSE processing order in Win 7/2008R2 

(Remark: At Microsoft, I only found this outdated list...)

How to avoid that?

  • Deny the usage of GPP "Registry" to subordinate administrators (only makes it harder, but not impossible - I'll cover that in a different post)
  • Do not delegate GPO administration (most secure solution!)
  • Implement AGPM (available only with SA, but also secure)
  • Disable GPP "Registry" (NoMachinePolicy/NoUserPolicy - but also prevents you yourself from using it)
Also in a further post, I'll show you what you can do with that damned screen saver timeout - it's a user setting, but often you'll want it to be different on some COMPUTERS.

Feel free to post feedback or questions, and even feedback on my - hopefully not so bad - english language is appreciated. I'm native german, and even worse, suabian ((-:

BTW: No screenshots? Yes - they would blow up the post.

sincerely, Martin


  1. Great stuff Martin!

    best regards
    Matthias Wolf - MVP GPO

  2. The best way to work my way out of the GPO that has been imposed on the computer I use is to find out how the IT themselves do it. An extensive report of the enemy's tactics. Yes, I am one of the bad guys here.

    1. It's always fun being challenged by a bad guy :-) The only real challenge is to gain administrator/system access, then all IT guys are history...

  3. Here is one challenge: how would you disable the Legal Notice GPO on a server to do some unattended install stuff with autoadminlogin without touching the GPO? Let's keep it server side only. And of course you need to perfom unattended install in an elevated environment, so you have local admin rights. User doing the install is a domain user in the local admin group.