Re: Group Policy for detached domain client

From: "Danny Sanders" <Danny.Sanders@xxxxxxxxxxxxxxxxx>
Date: Wed, 18 May 2005 08:50:39 -0600

Once they are off the LAN they log into
> their machines as usuall but do not have administrative rights. Am I right
> in
> saying that once the machine is off the network, the group policy does not
> apply anymore, even though they are logged into the machine?

If they still log into the domain while not connected they will use cached
credentials and have the same privileges as if they actually logged into the
domain.
If they log in locally when not connected to the domain they the domain
group policy will not apply.

And if so, how
> to I fix it, apart from manually adding them to the local policy on each
> machine?

Remove their local login account. There is really no reason for them to log
in locally. This will force them to log in with cached credentials.

hth
DDS W 2k MVP MCSE

"Morne" <Morne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:13FC0DFD-EC2E-4B85-AB10-13FD45A861E2@xxxxxxxxxxxxxxxx
> Hi. I have a few laptops that are being used from home after hours. Users
> on
> these laptops are made part of the local administrators group when they
> are
> on the LAN by using group policy. Once they are off the LAN they log into
> their machines as usuall but do not have administrative rights. Am I right
> in
> saying that once the machine is off the network, the group policy does not
> apply anymore, even though they are logged into the machine? And if so,
> how
> to I fix it, apart from manually adding them to the local policy on each
> machine?
>
> Any assistance in this regard is appreciated, even a link to a document
> will
> help very much.
>
> Thanks up front,
>
> Morne

.

References:
- Group Policy for detached domain client
  - From: Morne

Prev by Date: Re: manage windows XP SP2
Next by Date: Software deployment links into All Users folder
Previous by thread: Group Policy for detached domain client
Next by thread: How to create group policy without affecting administrator
Index(es):
- Date
- Thread

Relevant Pages

RE: Disabling sharing and group policies
... A user with local Administrator rights to ... his/her machine *can* exempt his/her machine from group policy application. ... Actually, as I said, anybody with administrative rights on his/her machine ...
(Focus-Microsoft)
Re: WinXP SP2 Release Candidate
... There is a group policy that blocks the internal port blocking inside ... this does not stop the better benefits of IE pop up blocker ... Take the laptop off the lan and see how much more ... Dirk-Thomas Brown wrote: ...
(microsoft.public.backoffice.smallbiz2000)
Re: Restoring Administrative Rights to domain computers
... As Lanwench indicated you can use a Group Policy startup script. ... in the local administrators group is enforced by two possible methods. ... to restrict the Administrative Rights on the system. ...
(microsoft.public.security)
Re: No access to Group Policy Object
... | unspecified error with the message: No access to Group Policy Object on ... | this computer(you may not have administrative rights)! ... | I am trying to do this for a reason: I cannot turn off System Restore ...
(microsoft.public.windowsxp.security_admin)
Re: group policy - how to?
... For example, I want to have a group policy in such a way that when a laptop connects to the LAN/domain, this policy specifys IE's properties such as proxy settings and home pages etc. ... But when the laptop does not connect to the LAN, this GPO does not apply, ie the proxy settings and home page is different from that in LAN/domain environment. ...
(microsoft.public.windows.server.active_directory)