none
GPO not applied "access denied", access is set to full control

    Question

  • I'm trying to create a GPO to enforce smart card logon for a specific user group on Server 2012 R2 Essentials. I'm currently on an test server, no other domain members around, so I can do pretty much anything I want or need while searching.

    That also implies that everything I describe below was done on the domain controller, and I don't have another domain member around to try anything on.

    The procedure I followed (and restarted several times from scratch by now):

    • Create a new global security group to test the GPO on later; made it itself a member of Domain Admins (that will be the case in the final version too).
    • Create a test user account, made it member of the test group.
    • Logged into that account to verify it's OK and has domain admin rights.
    • Logged back into my own account and started Group Policy Management.
    • Created and edited a new GPO, defined and enabled security settings to require smartcard logon + auto log off at smartcard removal.
    • In Scope / Security filtering, added the test group.
      Did *not* remove "authenticated users", see next step. Reason: "don't do this" remark near the top at http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/
    • In Delegation / Advanced, unchecked "Apply" permission for "authenticated users".
    • Created a link to the GPO at the domain root. It shows up as link enabled = yes and GPO status = enabled.
    • Start / Run / gpupdate
    • When that was finished, back in GP management, started Group Policy Results wizard and let it report the result for the test user I created above.
      Result: the test GPO was listed under "Denied GPOs", Reason Denied = "Access Denied (Security Filtering)".

    That doesn't seem right: "authenticated users" still has "read" rights, the test group has "apply" right, and there are no "deny" rights specified anywhere (checked it).

    From there on I tried everything I could think of, including

    • giving the test account full control rights on the GPO object directly, instead of just read and apply through the test group,
    • often rebooting and at least running gpupdate between any changes,
    • etc.

    The result always remained "Access denied (Security filtering)".

    Can anyone tell me what I am forgetting or doing wrong?



    • Edited by lucvdv Friday, June 3, 2016 2:31 PM clarity
    Friday, June 3, 2016 2:23 PM

Answers

  • Am 03.06.2016 um 16:23 schrieb lucvdv:
    > require smartcard logon + auto log off at smartcard removal.
     
    This is a Computer configuration!
    You are trying to apply it on a user object. The user will never get
    this GPO, because he is the wrong target.
     
    You can not build a user security grouup that requires Smartcards, you
    can only define computers, where users need a smartcard.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by lucvdv Monday, June 6, 2016 7:12 AM
    Friday, June 3, 2016 2:39 PM
  • > I'm trying to create a GPO to enforce smart card logon for a specific
    > user group on Server 2012 R2 Essentials.
     
    You cannot do that with a group, as Mark already explained. But you can
    check "Logon requires Smart card" in the account properties of the
    related users.
     
    • Marked as answer by lucvdv Monday, June 6, 2016 1:51 PM
    Monday, June 6, 2016 1:28 PM

All replies

  • Am 03.06.2016 um 16:23 schrieb lucvdv:
    > require smartcard logon + auto log off at smartcard removal.
     
    This is a Computer configuration!
    You are trying to apply it on a user object. The user will never get
    this GPO, because he is the wrong target.
     
    You can not build a user security grouup that requires Smartcards, you
    can only define computers, where users need a smartcard.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by lucvdv Monday, June 6, 2016 7:12 AM
    Friday, June 3, 2016 2:39 PM
  • Thanks, that was fast.

    Can it be done by enabling loopback processing? I think I read somewhere that can be used to apply user settings to specific computers, but I don't know if it will work the other way around.

    Friday, June 3, 2016 2:55 PM
  • Or is there some other way to trick the system into applying a computer configuration only for certain users, such as a WMI filter or so?

    The intention was to require a smart card for sensitive stuff, and allow plain password logon only for normal users.




    • Edited by lucvdv Friday, June 3, 2016 3:27 PM
    Friday, June 3, 2016 3:25 PM
  • Am 03.06.2016 um 16:55 schrieb lucvdv:
    > Can it be done by enabling loopback processing?
     
    No.
     
    computer settings apply to Computer
    User settings apply to users
     
    Loopback enabled:
    if user settings are linked to a computerobject, the logon service gives
    the list this user settings to the users, the computer itselfs still
    ignores it.
     
    Mark
     
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, June 3, 2016 3:59 PM
  • Am 03.06.2016 um 17:25 schrieb lucvdv:
    > Or is there some other way to trick the system into applying a computer
    > configuration only for certain users, such as a WMI filter or so?
     
    No.
     
    > The intention was to require a smart card for sensitive stuff, and allow
    > plain password logon only for normal users.
     
    Thats a really easy task:
    Your targets are human, you can tell and advice them to use the card.
    Done.
     
    You try to solve a social problem with technic. That will never work.
     
    Set "require smartcard" to disable/not configured
    Set "lock when removed" to enabled
     
    Set require on your admin workstations or your servers
     
    There is no technical security difference between users. In the end,
    Password Hashes are created for all of them and the system doesn´t care
    if it was created from 2 digit password or 16 charactes with complexitiy
    and smartcard.
    If I get a hash with domainadmin rights it´s easy to break your system.
    If I have only user rights, it only takes a little longer.
     
    The sensitive security difference is between computers. Are they used in
    your development, your production? Are they allowed by firewall rules to
    access sensitive systems?
    You can get more security if you require a smartcard on a certain
    system, but usually not if you require it for a user on ALL systems.
    You need the smartcard, when logging into a server or an administrative
    Workstation, while performing administrative tasks, but thats not user
    specific.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, June 3, 2016 4:38 PM
  •  
    Thats a really easy task:
    Your targets are human, you can tell and advice them to use the card.
    Done.
     
    You try to solve a social problem with technic. That will never work.
     
     

    I don't quite agree. What you say here comes down to saying that those password complexity rules MS built into the OS are baked air, all you have to do is tell your users to use secure passwords.

    In this case, there are [going to be, in the next version] several Server 2012 R2 Essentials plus one or two workstations each, but the application is "sort of" embedded.

    Normal users (store attendants) get a custom user interface instead of the Windows shell. They get no desktop, no task bar, no start menu, just the application, and security requirements are relatively low.

    Store managers and technical support staff log in with accounts giving them the standard Windows UI. Technical staff have administrator rights on top.

    We've been doing it like this all the way since NT4 in the 90's, but now I want to increase security on the administrator accounts because the passwords leak out too often (not always the fault of the manager or support tech: one clerk once admitted, after some arguing, that he got it by watching it being typed in on footage from a hidden camera he had installed behind his cash desk).

    [OffTopic] And I know even two-factor won't be enough. For example, we've once fallen into a gaping hole in a printer driver. Remove paper from printer, start print job, message box popped up with a "Help" button in it. Clicking it opened the printer's help file - started by the driver, running with local system privileges, and containing a link to the printers control panel, which was handled by Windows Explorer and had an address bar.

    Reported it to the manufacturer, they didn't find it important enough to publish a fix. That was about 15 years ago, little chance that you'll still find one of those printers today, but it *was* one from a manufacturer that once sold a lot of pocket calculators.


    Monday, June 6, 2016 7:12 AM
  • Hi,
     
    Am 06.06.2016 um 09:12 schrieb lucvdv:
    > I don't quite agree. What you say here comes down to saying that
    > those password complexity rules MS built into the OS are baked air,
    > all you have to do is tell your users to use secure passwords.
     
    Right. The reason for using complexity is to make it harder when using
    bruteforce, rainbow tables, guessing etc.
    But, if I can access the machine locally, the complexity doesn´t have an
    efect. I read the hash from the cache.
     
    Thats, why MS implement Isolated User Mode in Windows 10.
     
    Complexity leads into poor passwords, especially if you need to change
    it every 30 days ... -> January2015!, february2015!, MyPassword1,
    MyPassword2 etc. you will find most of them already in dictionarys and
    rainbow tables.
     
    As you said: Braking the system is not only depending on the OS, if I
    can get System or local Admin rights, I can get the hash. :-(
     Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Monday, June 6, 2016 8:25 AM
  • > I'm trying to create a GPO to enforce smart card logon for a specific
    > user group on Server 2012 R2 Essentials.
     
    You cannot do that with a group, as Mark already explained. But you can
    check "Logon requires Smart card" in the account properties of the
    related users.
     
    • Marked as answer by lucvdv Monday, June 6, 2016 1:51 PM
    Monday, June 6, 2016 1:28 PM
  • Thanks.

    Now I feel stupid, for vaguely remembering that the possibility was there, but believing you had to do it through a GPO while it's a simple account option \:(

    Monday, June 6, 2016 2:13 PM