using local group policy to override domain group policy

Hi all. I have a domain user with a notebook in overseas now. Currently his
notebook is not physically connected to my domain since he is overseas now.
For some reason he need to disable a setting that was obtained via domain
group policy. However changing the setting via local group policy doesn't
help. How can i disable the domain policy from taking effect on this
particular user's pc. Thks in advance.

No, you can't. That's how Group Policy works. It takes precedence over
local Group Policy and gets re-applied every max. 120 minutes. Depending
on what setting it is, he could - if the user is local administrator on
the machine - reset the setting manually by e.g. editing the policy. But
every 120, the setting gets reverted back.

The only reasonable thing for you is create a seperate OU for the user,
move the useraccount/laptop into that OU (depending on we're talking
about a UserConf or CompConf policy) and define the setting the way the
user needs it. Then let him connect to the network (e.g. via VPN).

There aren't many other options, really.

Since he isn't connected to the network can he log on locally as opposed to
using cached credentials? This may allow him to get by it. You can't
override domain policy with a local policy.

[cousinit]

Talk about posting in a dead thread. Here I go. This thread still shows up in Google near the top when people with this problem do a search so I am posting the answer here.

First, your user needs to be a local administrator for his laptop if he is going to be overseas and disconnected from your network. This will allow him to call you for tech support and avoid the need for you to find a way to access his computer remotely, which may or may not be a workable option depending on the network environment this fellow finds himself in. Plus, if you trust him to take a company computer overseas, you should trust him with elevated local privileges because you are effectively doing that anyway--but that is a different matter.

Group Policy Client need not be running on a detached system computer. There is no domain to attach to and no Group Policy Server available, so a local admin can simply disable the service and make whatever changes are needed to adapt to the outside environment.

Also, many local group policy settings are available through the following registry keys:

Code:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Group Policy

Included in this registry tree are settings that specify which domain GP Server to attach to. Thus, editing the keys titled "DCName" and "DSPath" can help to point the user's laptop to a different GP server--or to none at all if they read "LocalGPO" and "\\localhost" respectively. Changing these values across several registry keys will cause the Group Policy Client to misdirect and fail to find the domain policy server. This can of course be reduced to two .reg files, so the client can be effectively turned on and off by merging one file or the other into the registry. This is useful since the files can be emailed to the user and you can simply say "double-click on this"--thus avoiding the need to explain how to disable the service manually.

Please note that if the Group Policy Client fails it will create error entries in the logs, and all those services dependent on it will fail also. However, in a severed environment overseas, none of those services are helpful to the user anyway. One side effect of this is that non-administrator domain users may not be able to log onto the system--thus, the user needs local admin privileges.

Finally, you could always configure a VPN option for the user if you know or control the overseas network environment he is in. This would require some advanced planning in order to ensure things like:
- your VPN server was accessible from the overseas network
- the firewall on the overseas network allows your VPN connection to pass through
- there is sufficient bandwidth between your network and the overseas network to allow the required domain traffic to be pushed back and forth in a timely manner.

I am by no means an expert in VPN, so you should consult other sources for information on that possibility.

Hope this helps someone out there in the future.

[kjocque]

To Cousinit: That was very nice of you to post to a thread which is three years old. Your advice was clear and concise. Keep up the good deeds. -Kent