What happens when a *smart* consultant hooks up to your domain?

So we all, from time to time, have consultants come onto our corporate networks. Those IT consultants that, well for lack of better understanding, decide to use the corporate network might be surprised from time to time. See if you get on my network, I don’t really care who you are my goal is to ensure you are locked out of everywhere I feel you should be whoever you are to protect the companies intellectual property and proprietary information. In this vain, you will not only inherit my security blocks such as NO internet access since you are not actually ON the domain you will also have your GPO settings updated immediately if your using DHCP(in my special VLAN for you).

Now some of you are screaming at the screen about “well only allow authenticated machines to get DHCP!” Yes, true that is a good idea in one vain. However, if they decided to sniff your network all they have to do is get on the IP subnet by for instance viewing it on a client PC of one of the people they are working with. So why not just lock them down if they decided to be a smart as$ in the first place?

Here is what you do to set them straight after the GPO has been asserted or how to reset security settings back to the defaults:

in a command line type the following:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

NOTE: Make sure that it is all on one line.


Once you receive the “Task is completed” message a warning message may pop up saying that somthing could not be done. You can ignore this message.

You can also find the full document of this information at KB313222


*NOTE for Consultants: I am one too so I know sometimes it is the only way to get things done depending on how hosed the network/application/etc. is so keep this one liner in your “tool kit” for future reference!*