Re: Possible to enforce LP over GP?

From: schmultzburger <SPAMburger@xxxxxxxxx>
Date: Thu, 19 Apr 2007 11:26:48 -0400

So, a user with local admin rights can block ALL GPOs or just certain ones or can they "pick and choose"? And keep their machine on the domain?

At the risk of sounding like I'm trying to get away with something, how is this done? Better yet, is there any way to block it short of removing local admin rights?

Affecting certain settings post-GP an not having them reapply until restart/reboot makes sense, thanks.

Thanks for the quick response,
S-

Roger Abell [MVP] wrote:

You cannot "enforce" local policy. AD delivered policy
always overrules what may be set in local policy.
Someone that has admin access to a machine can however
prevent all policy from being applied. Also, since much of
policy is applied when it is seen as having changed, settings
that only get reapplied in that fashion can be changed directly
if there is an available method to do so and those changes
will remain effective until the policy settings are reapplied.

Roger

"schmultzburger" <SPAMburger@xxxxxxxxx> wrote in message news:132eugq2eqegb68@xxxxxxxxxxxxxxxxxxxxx
I was told once by a naysayer that GP was worthless as long as a domain user had local admin rights because they could get around any settings. Other than removing a computer from the domain, the only way I can think of that this might be possible is by setting a LP that is counter to the GP settings and somehow enforcing the LP. I haven't found anything to either confirm or deny that this is possible. What I do read though is that LSD-OU applies with later policy settings overriding earlier ones, except for enforced settings. That says to me that IF you can enforce LP, it can always override GP. Can anyone here speak to this?

TIA

S-

Follow-Ups:
- Re: Possible to enforce LP over GP?
  - From: Roger Abell [MVP]

References:
- Possible to enforce LP over GP?
  - From: schmultzburger
- Re: Possible to enforce LP over GP?
  - From: Roger Abell [MVP]

Prev by Date: Re: Possible to enforce LP over GP?
Next by Date: Re: Group Policy Recommendations
Previous by thread: Re: Possible to enforce LP over GP?
Next by thread: Re: Possible to enforce LP over GP?
Index(es):
- Date
- Thread

Relevant Pages

Re: Enforced GPO question
... and another at OU disables them). ... My question is which enforcing ... the policy that is linked "most" near to the policy will will (when settings contradict). ...
(microsoft.public.windows.group_policy)
Re: Group Policy-Security
... You probably got the restriction upon joining Domain B (The security policy ... domain to keep the settings). ... I do have local admin rights on ... >> Steve Seguis - MCSE, MVP Windows Server, SCJP ...
(comp.os.ms-windows.nt.admin.security)
Re: Possible to enforce LP over GP?
... Affecting certain settings post-GP an not having them reapply until ... If you give out local admin then all bets are off as to the state of ... always overrules what may be set in local policy. ... GP settings and somehow enforcing the LP. ...
(microsoft.public.win2000.group_policy)
Re: Bypass proxy?
... This is done under "Default Domain" policy and it's not overwritten ... I even tried to make an entry in the hosts file to a bogus ... IE maintenance settings have proven to be problematic ... >though enforcing refresh of the GP settings even if the GPO has not changed ...
(microsoft.public.windows.group_policy)
Re: scripted logon
... Why can't you launch all the scripts from a Group Policy based Logon script. ... Here's the policy settings (I sure hope word wrap doesn't mess it up too ... Windows Components/Windows Installer ...
(microsoft.public.windows.terminal_services)