Results 1 to 4 of 4

Thread: Using local group policy to override domain group policy

  1. #1
    Join Date
    Jan 2005

    Using local group policy to override domain group policy

    There are some different domain users which access the server from various location through their notebook. They are not physically connected with each other. Now how can a user from the other end can configure settings of domain group policy. Here he had already tried to do the same via domain group policy. But that does not worked well. I need some help to find a option that can allow me to disable domain policy.

  2. #2
    Join Date
    Oct 2004
    There is no way to do that. This is how GP is designed. You must try to work on the local group policy also. And you must then re-apply the same. Depending the type of connectivity and configuration it will take time to apply the settings completely. While there is no way to do that manually.

  3. #3
    Join Date
    Sep 2011

    re: Using local group policy to override domain group policy

    Talk about posting in a dead thread. Here I go. This thread still shows up in Google near the top when people with this problem do a search so I am posting the answer here.

    First, your user needs to be a local administrator for his laptop if he is going to be overseas and disconnected from your network. This will allow him to call you for tech support and avoid the need for you to find a way to access his computer remotely, which may or may not be a workable option depending on the network environment this fellow finds himself in. Plus, if you trust him to take a company computer overseas, you should trust him with elevated local privileges because you are effectively doing that anyway--but that is a different matter.

    Group Policy Client need not be running on a detached system computer. There is no domain to attach to and no Group Policy Server available, so a local admin can simply disable the service and make whatever changes are needed to adapt to the outside environment.

    Also, many local group policy settings are available through the following registry keys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Group Policy
    Included in this registry tree are settings that specify which domain GP Server to attach to. Thus, editing the keys titled "DCName" and "DSPath" can help to point the user's laptop to a different GP server--or to none at all if they read "LocalGPO" and "\\localhost" respectively. Changing these values across several registry keys will cause the Group Policy Client to misdirect and fail to find the domain policy server. This can of course be reduced to two .reg files, so the client can be effectively turned on and off by merging one file or the other into the registry. This is useful since the files can be emailed to the user and you can simply say "double-click on this"--thus avoiding the need to explain how to disable the service manually.

    Please note that if the Group Policy Client fails it will create error entries in the logs, and all those services dependent on it will fail also. However, in a severed environment overseas, none of those services are helpful to the user anyway. One side effect of this is that non-administrator domain users may not be able to log onto the system--thus, the user needs local admin privileges.

    Finally, you could always configure a VPN option for the user if you know or control the overseas network environment he is in. This would require some advanced planning in order to ensure things like:
    - your VPN server was accessible from the overseas network
    - the firewall on the overseas network allows your VPN connection to pass through
    - there is sufficient bandwidth between your network and the overseas network to allow the required domain traffic to be pushed back and forth in a timely manner.

    I am by no means an expert in VPN, so you should consult other sources for information on that possibility.

    Hope this helps someone out there in the future.

  4. #4
    Join Date
    Sep 2011

    re: Using local group policy to override domain group policy

    To Cousinit: That was very nice of you to post to a thread which is three years old. Your advice was clear and concise. Keep up the good deeds. -Kent

Similar Threads

  1. Replies: 2
    Last Post: 17-12-2013, 09:10 PM
  2. Replies: 4
    Last Post: 29-12-2010, 11:20 AM
  3. Replies: 3
    Last Post: 07-10-2009, 03:12 PM
  4. Group Policy Local drives
    By Daniel in forum Active Directory
    Replies: 3
    Last Post: 24-04-2008, 08:15 AM
  5. Group Policy -> Missing Group Policy settings
    By Jeroen in forum Active Directory
    Replies: 3
    Last Post: 25-07-2007, 12:00 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts