Select Page

I’ve received a number of comments and have seen a number of blog postings subsequent to my blog posting about this topic. One of the reasons I mentioned that it was probably not a good idea to have GPMC on every system was that inherently anyone that could read a GPO (which includes any user or computer that can process a GPO) could easily backup those GPOs using GPMC without any special admin privileges. Adam Vero, on his blog, and "Evan", who posted a comment on my blog posting, note that even without GPMC, a regular user who can read a GPO can simply go out to SYSVOL and copy the contents of those folders and accomplish the same thing as a GPMC backup. While I generally agree with this, GPMC makes the proces a heck of a lot easier. Don’t get me wrong, a truly malicious users within an organization with the skill and the talent can do lots of fun things if they know enough about GPO. As an example, you might want to download the whitepaper I wrote when I was at DesktopStandard entitled, "How Secure is Group Policy?", which details quite a few ways that a properly credentialed user can get around GP.

However my point was more that GPMC makes it easy for a regular user who is just curious, to get information about Group Policy configurations within an organization without a lot of effort. Having access to SYSVOL and the GPT is not exactly an intuitive process, and to get a complete picture, they would also need to access the AD parts of GP, as some settings are stored there as well. In any case, the casual user might just be doing it because they want to be an IT administrator and so they decide to take a backup of the company’s GPOs home to play with in their test environment. Yes, they can download GPMC from MS’ website and do the same thing, but I think the point is that having it on every desktop machine makes it easier and creates more potential problems than it solves. My general approach is to not install administrative tools (or any code for that matter) on machines that doesn’t need to be installed because who knows how they may be used or abused down the line.

 So, while this may not be the only good reason to remove GPMC from Vista, SP1, it is, from my perspective, a convenience that reduces the number of things I have to worry about within the desktop environment.

 Group Policy, GPMC, Vista SP1