| T O P I C R E V I E W |
| elliotg |
Posted - 02/01/2004 : 11:17:02 PM
I have been compiling some user (local admin really) guides on GPOs and security. During this process I have been forced to have a closer look at a number of areas. One of these is the oft-quoted but infrequently explained area of registry tattooing.
Probably the first thing most of us heard about Group Policies was that, unlike NT4 System Policies, they did not tattoo the registry and that if the computers were moved into an a changed environment, the old policy settings did not stay in force. It now appears that this is only a partial truth.
For almost all settings covered by the Administrative Templates section, the non-tattooing seems to apply. This is because these settings are all stored under special "Policies" keys in the registry and these entries are removed if they no longer apply. The entries in these sub-keys do not overwrite default settings, where defaults exist they are stored elsewhere in the registry. The policy settings will overrule default settings, not replace them.
But other settings in GPOs do seem to overwrite the default data, and remain in place until they are themselves overwritten. In particular, this seems to apply to the settings in the "secuity options" section of local policies. The registry keys written to (as far as I can tell)are not part of the "wiped out when no longer applicable" policies keys. Changes in this area do indeed seem to tattoo the registry.
Maybe I am wrong, but I cannot seem to find any solid information on this point. One would think that anything as central as this would be clearly documented.
I am also uncertain about the longeivity of other GPO settings in the Secuirty area such as User rights, account policies, audit policies etc. It seems likely to me that once these have been sent to the client computer by the application of a group policy, they stay in place until they are explicitly overwritten. Merely removing the computer from the domain, for example, will not reverse these changes. Or will it?
I would be very grateful for any solid information on these questions!
Elliot |
| 6 L A T E S T R E P L I E S (Newest First) |
| dmarelia |
Posted - 02/07/2004 : 7:52:13 PM
Definitely not all of them Elliot. Let me know if you can't find the information in the books--I will dig it up when I get home. |
| elliotg |
Posted - 02/06/2004 : 6:52:34 PM
Darren
Thanks for your help. This information is not easy to find - many articles say that all GPO settings are free of tattooing!
But now that I have a link to your site, and have registered, I think that I will be in a better position!! It looks a mine of information.
Elliot |
| dmarelia |
Posted - 02/05/2004 : 5:09:03 PM
Jerrod-
Its actually pretty straightforward. There are basically 4 keys in the registry--2 in HKLM and 2 in HKCU. Any values set under those 4 keys will be removed and any values set elsewhere won't. I don't have the keys off the top of my head and I'm not close to the docs, but you can download either of my two e-books from www.fullarmor.com. They both include sections on tattooing. |
| aed |
Posted - 02/05/2004 : 08:45:39 AM
Are there any documents that specify which policy settings do tattoo the registry and which do not?
Just a thought,
Jerrod |
| dmarelia |
Posted - 02/05/2004 : 12:30:23 AM
Elliot-
Sorry for the delayed response. The security settings policies are not all strictly registry settings. Some of them are, such as the settings found under Security Options. And, you're correct that these are "preferences" rather than policies, inasmuch as they must be explicitly removed rather than getting automatically removed when the GPO falls out of scope. However, many of the policies set under Security Settings are made directly to the SAM on the target machine. Examples of these include Account Policy, User Rights and Audit Policy. Even in those cases, however, you must explicitly remove/change these policies for them to no longer apply. At least, that is my memory of those. I probably need to go back and test some of that now that I think about it. |
| elliotg |
Posted - 02/04/2004 : 6:58:01 PM
I was surpised not to get any response to this message, despite quite a few people looking at it. Perhaps I made it too complicated!! Can I thus reask my cnetral question in a far less polemical form?
Registry settings set by the Administrative Templates section of GPOs generally do not tattoo the registry. Am I correct in concluding that registry settings made via the Security Options section DO tattoo the registry?
Elliot |
|
|
