Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Active Directory
Become a Member!
Forgot your username/password?
Register Tags Active Topics RSS Search Mark Forums Read SiteMap

Tags: , ,

Sponsored Links



using local group policy to override domain group policy

Active Directory


Reply
 
Thread Tools Search this Thread
  #1  
Old 29-05-2008
inenewbl
 
Posts: n/a
using local group policy to override domain group policy

Hi all. I have a domain user with a notebook in overseas now. Currently his
notebook is not physically connected to my domain since he is overseas now.
For some reason he need to disable a setting that was obtained via domain
group policy. However changing the setting via local group policy doesn't
help. How can i disable the domain policy from taking effect on this
particular user's pc. Thks in advance.
Reply With Quote
  #2  
Old 29-05-2008
Florian Frommherz [MVP]
 
Posts: n/a
Re: using local group policy to override domain group policy

No, you can't. That's how Group Policy works. It takes precedence over
local Group Policy and gets re-applied every max. 120 minutes. Depending
on what setting it is, he could - if the user is local administrator on
the machine - reset the setting manually by e.g. editing the policy. But
every 120, the setting gets reverted back.

The only reasonable thing for you is create a seperate OU for the user,
move the useraccount/laptop into that OU (depending on we're talking
about a UserConf or CompConf policy) and define the setting the way the
user needs it. Then let him connect to the network (e.g. via VPN).

There aren't many other options, really.
Reply With Quote
  #3  
Old 29-05-2008
Paul Bergson [MVP-DS]
 
Posts: n/a
Re: using local group policy to override domain group policy

Since he isn't connected to the network can he log on locally as opposed to
using cached credentials? This may allow him to get by it. You can't
override domain policy with a local policy.
Reply With Quote
  #4  
Old 04-09-2011
Member
 
Join Date: Sep 2011
Posts: 1
Re: using local group policy to override domain group policy

Talk about posting in a dead thread. Here I go. This thread still shows up in Google near the top when people with this problem do a search so I am posting the answer here.

First, your user needs to be a local administrator for his laptop if he is going to be overseas and disconnected from your network. This will allow him to call you for tech support and avoid the need for you to find a way to access his computer remotely, which may or may not be a workable option depending on the network environment this fellow finds himself in. Plus, if you trust him to take a company computer overseas, you should trust him with elevated local privileges because you are effectively doing that anyway--but that is a different matter.

Group Policy Client need not be running on a detached system computer. There is no domain to attach to and no Group Policy Server available, so a local admin can simply disable the service and make whatever changes are needed to adapt to the outside environment.

Also, many local group policy settings are available through the following registry keys:

Code:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Group Policy
Included in this registry tree are settings that specify which domain GP Server to attach to. Thus, editing the keys titled "DCName" and "DSPath" can help to point the user's laptop to a different GP server--or to none at all if they read "LocalGPO" and "\\localhost" respectively. Changing these values across several registry keys will cause the Group Policy Client to misdirect and fail to find the domain policy server. This can of course be reduced to two .reg files, so the client can be effectively turned on and off by merging one file or the other into the registry. This is useful since the files can be emailed to the user and you can simply say "double-click on this"--thus avoiding the need to explain how to disable the service manually.

Please note that if the Group Policy Client fails it will create error entries in the logs, and all those services dependent on it will fail also. However, in a severed environment overseas, none of those services are helpful to the user anyway. One side effect of this is that non-administrator domain users may not be able to log onto the system--thus, the user needs local admin privileges.

Finally, you could always configure a VPN option for the user if you know or control the overseas network environment he is in. This would require some advanced planning in order to ensure things like:
- your VPN server was accessible from the overseas network
- the firewall on the overseas network allows your VPN connection to pass through
- there is sufficient bandwidth between your network and the overseas network to allow the required domain traffic to be pushed back and forth in a timely manner.

I am by no means an expert in VPN, so you should consult other sources for information on that possibility.

Hope this helps someone out there in the future.
Reply With Quote
  #5  
Old 28-09-2011
Member
 
Join Date: Sep 2011
Posts: 1
Re: using local group policy to override domain group policy

To Cousinit: That was very nice of you to post to a thread which is three years old. Your advice was clear and concise. Keep up the good deeds. -Kent
Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Active Directory


Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "using local group policy to override domain group policy"
Thread Thread Starter Forum Replies Last Post
Use group policy to change local administrator password in Domain coady Active Directory 4 29-12-2010 11:20 AM
Applying group policy only to members of a domain local securitygroup Drazen Active Directory 3 07-03-2010 05:28 PM
How to use Group Policy Editor to Manage Local Computer Policy on Windows XP Afznotermi Networking & Security 3 07-10-2009 03:12 PM
Group Policy -> Missing Group Policy settings Jeroen Active Directory 3 25-07-2007 12:00 AM
Override the local Group Policy by domain policy or delete the RSOP gchandrujs via WindowsKB.com Windows Security 0 04-07-2007 09:20 PM


All times are GMT +5.5. The time now is 06:35 PM.