Re: local gp v's domain based gp

Thanks ;) You summed it up perfectly.

Roger Abell [MVP] wrote:
<joshua.morgan@xxxxxxxxx> wrote in message
news:1156755102.716765.322500@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Would this then mean that if for whatever reason a
OU/domain/site-linked GPO isn't applied that the local computer policy
would be enforced?


When I stated
. . . and then finally, at lowest priority (and not able to block
anything from above) the Local policy.
that means local policy cannot be "enforced".
I.e. I am just pointing out that "enforced" is a term loaded with
special meaning for AD GP processing, whereas I think your
comment could have used "effective" and still carry your intent.
"Enforced", which may be set for a domain or OU linked GPO
means that no lower priority AD based GPO can change what
is set in the enforced policy.

To your question, local policy would be effective only if the AD
based policies had never been seen/downloaded to the machine.
Else, current, and lacking ability to obtain that, most recently seen
would be effective.


For example, if a user logged in and pulled the network cable out
during the Group Policy-applying stage (meaning that an
OU/domain/site-linked GPO doesn't apply) would the local policy then be
enforced, and if an OU/domain/site-linked GPO *does* apply then the
local policy isn't enforced?

Thanks,

Joshua Morgan

Roger Abell [MVP] wrote:
Setting is the local policy have the lowest priority and would only take
effect if there were no conflicts with GPO based settings.
The order of priority, not considering use of "no override"/"enforced" or
of "blocked inheritance", is GPOs linked to the Site, Domain, OU, nearer
nested OUs and then finally, at lowest priority (and not able to block
anything from above) the Local policy.

"Gunna" <gunna@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23tFnd3NyGHA.2300@xxxxxxxxxxxxxxxxxxxxxxx
I have a XP machine that has its default local policy set after being
built.
I have added this to a domain which I use group policies to sewt
various
options etc. How do these 2 react when the settings on the local
policy
and
the matching setting on the domain gp conflict? Which get priority or
is
there a way I can set this?




.

Relevant Pages

  • Re: Prevent logons other than PC owner?
    ... log on rights in local policy rather than by GPO. ... limiting all accounts without fail). ... >> In a domain Users includes Domain Users, ...
    (microsoft.public.windows.server.security)
  • Re: Deploy a local policy
    ... Get a GPO defined and linked to your OU and write of its ... by being innovative or by visiting 600 machines. ... being controlled by AD based GPO policy settings. ... > I need to change the local policy of all my computers in my domain. ...
    (microsoft.public.win2000.security)
  • RE: Create user that dont have access to domain
    ... Through a GPO or local policy? ... It is not a good idea to have generic logins in any environment. ... apply a very restrictive GPO that restricts their access to browsing and ... Local policy settings for Windows XP: ...
    (microsoft.public.windows.server.active_directory)
  • Re: local gp vs domain based gp
    ... which may be set for a domain or OU linked GPO ... local policy would be effective only if the AD ... OU/domain/site-linked GPO doesn't apply) would the local policy then be ... effect if there were no conflicts with GPO based settings. ...
    (microsoft.public.windows.group_policy)
  • Re: windows xp x64 and GPMC
    ... Florian Frommherz [MVP] formulated the question: ... the local policy whereas gpmc is for domain policy. ... "The GPMC does not run on 64-bit versions of Microsoft Windows." ...
    (microsoft.public.windows.group_policy)