Re: local gp v's domain based gp

<joshua.morgan@xxxxxxxxx> wrote in message
news:1156755102.716765.322500@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Would this then mean that if for whatever reason a
OU/domain/site-linked GPO isn't applied that the local computer policy
would be enforced?


When I stated
. . . and then finally, at lowest priority (and not able to block
anything from above) the Local policy.
that means local policy cannot be "enforced".
I.e. I am just pointing out that "enforced" is a term loaded with
special meaning for AD GP processing, whereas I think your
comment could have used "effective" and still carry your intent.
"Enforced", which may be set for a domain or OU linked GPO
means that no lower priority AD based GPO can change what
is set in the enforced policy.

To your question, local policy would be effective only if the AD
based policies had never been seen/downloaded to the machine.
Else, current, and lacking ability to obtain that, most recently seen
would be effective.


For example, if a user logged in and pulled the network cable out
during the Group Policy-applying stage (meaning that an
OU/domain/site-linked GPO doesn't apply) would the local policy then be
enforced, and if an OU/domain/site-linked GPO *does* apply then the
local policy isn't enforced?

Thanks,

Joshua Morgan

Roger Abell [MVP] wrote:
Setting is the local policy have the lowest priority and would only take
effect if there were no conflicts with GPO based settings.
The order of priority, not considering use of "no override"/"enforced" or
of "blocked inheritance", is GPOs linked to the Site, Domain, OU, nearer
nested OUs and then finally, at lowest priority (and not able to block
anything from above) the Local policy.

"Gunna" <gunna@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23tFnd3NyGHA.2300@xxxxxxxxxxxxxxxxxxxxxxx
I have a XP machine that has its default local policy set after being
built.
I have added this to a domain which I use group policies to sewt
various
options etc. How do these 2 react when the settings on the local
policy
and
the matching setting on the domain gp conflict? Which get priority or
is
there a way I can set this?





.

Relevant Pages

  • Re: Possible Bad Question
    ... > question states that the Local Policy locks her out after 3 attempts ... > the DDC GPO, wouldn't the Domain policy OVERRIDE the Local policy? ... >> the DDC GPO settings not DD GPO settings. ...
    (microsoft.public.cert.exam.mcsa)
  • Re: Possible Bad Question
    ... > question states that the Local Policy locks her out after 3 attempts ... > the DDC GPO, wouldn't the Domain policy OVERRIDE the Local policy? ... >> the DDC GPO settings not DD GPO settings. ...
    (microsoft.public.cert.exam.mcse)
  • Re: Prevent logons other than PC owner?
    ... log on rights in local policy rather than by GPO. ... limiting all accounts without fail). ... >> In a domain Users includes Domain Users, ...
    (microsoft.public.windows.server.security)
  • Re: no GPO how ?
    ... GPOs lower in the list have higher priority, i.e. their settings ... you cannot filter a local policy with security groups. ... gpo, etc In another words, our GPO is grey out. ...
    (microsoft.public.windows.terminal_services)
  • Re: Deploy a local policy
    ... Get a GPO defined and linked to your OU and write of its ... by being innovative or by visiting 600 machines. ... being controlled by AD based GPO policy settings. ... > I need to change the local policy of all my computers in my domain. ...
    (microsoft.public.win2000.security)