Re: Possible to enforce LP over GP?
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Tue, 24 Apr 2007 05:31:34 -0700
"schmultzburger" <SPAMburger@xxxxxxxxx> wrote in message
news:132f2i587o2in79@xxxxxxxxxxxxxxxxxxxxx
So, a user with local admin rights can block ALL GPOs or just certain ones
or can they "pick and choose"? And keep their machine on the domain?
At the risk of sounding like I'm trying to get away with something, how is
this done? Better yet, is there any way to block it short of removing
local admin rights?
Affecting certain settings post-GP an not having them reapply until
restart/reboot makes sense, thanks.
Thanks for the quick response,
S-
If you give out local admin then all bets are off as to the state of
the machine and how it gets changed over time. Whether one can
change locally from a GPO defined settings depends on the settings.
For example, those that only set registry keys can be fooled with
by a direct edit of those key values. Just how to break all policy
application depends on the OS version to some extent, and becomes
quite different with Vista. In some configs just disabling the Help
and Support service has been seen to interrupt all AD base GP
from being applied. When one has tromped on a value set from
GP, just how long that will last depends on whether the settings
is a security extension setting or not, since security policies are
reapplied periodically whether they have been seen as changed
or not, whereas others can exist in their changed state for a very
long time if the GPOs carrying them are left unchanged.
Roger Abell [MVP] wrote:
You cannot "enforce" local policy. AD delivered policy
always overrules what may be set in local policy.
Someone that has admin access to a machine can however
prevent all policy from being applied. Also, since much of
policy is applied when it is seen as having changed, settings
that only get reapplied in that fashion can be changed directly
if there is an available method to do so and those changes
will remain effective until the policy settings are reapplied.
Roger
"schmultzburger" <SPAMburger@xxxxxxxxx> wrote in message
news:132eugq2eqegb68@xxxxxxxxxxxxxxxxxxxxx
I was told once by a naysayer that GP was worthless as long as a domain
user had local admin rights because they could get around any settings.
Other than removing a computer from the domain, the only way I can think
of that this might be possible is by setting a LP that is counter to the
GP settings and somehow enforcing the LP. I haven't found anything to
either confirm or deny that this is possible. What I do read though is
that LSD-OU applies with later policy settings overriding earlier ones,
except for enforced settings. That says to me that IF you can enforce
LP, it can always override GP. Can anyone here speak to this?
TIA
S-
.
- References:
- Possible to enforce LP over GP?
- From: schmultzburger
- Re: Possible to enforce LP over GP?
- From: Roger Abell [MVP]
- Re: Possible to enforce LP over GP?
- From: schmultzburger
- Possible to enforce LP over GP?
- Prev by Date: Re: Wallpaper
- Next by Date: refresh interval for gp
- Previous by thread: Re: Possible to enforce LP over GP?
- Next by thread: Mapping my Terminal Services User Profile to my Terminal Services Home Folder
- Index(es):
Relevant Pages
|
Loading
