Local and Group Policy

[sunil5]

Hi all,

Currently we have the need to implement both local and domain level policies. My question is, does the local policy on a machine override the domain policy? I thought by setting the domain level one to 'No Override' would prevent this but no joy there(?)

I tried doing searches on the internet for this- but most sites always describe the priority on domain policies (site, domain, OU etc).

Any help on how to override the local policy when a user logs on to the domain would be much appreciated. I always thought 'as standard' that domain level would take precedence over local.

Thanks,

Sunil

 

[basspro]

Domain policies override local policies.
The order of application is local, site, domain, OU, sub-OU.

 

[sunil5]

Yeah that's what i thought too- but ive just been playing with local/group policies and found that the policies are cumulative...

It wasn't clear to me before about domain policies overriding local ones... what I thought was that if a user logs on to computer on a domain- the domain level policy would override all local ones- i.e. if local policy has for example 10 restrictions and the domain has none at all- then user logged onto the domain should not have ANY restrictions. This is (as a lot of you already know)not the case; in order for domain policy to 'override' the local, one would have to disable the domain level policy which corresponds to the local one.

I performed the rsop.msc command to check the resultant policy settings- which revealed a combination of both local and domain level policies- even though the user is logged on to the domain and not locally.

Final thought.. local policies cannot be overriden??


Sunil

 

[SmittyNMCI]

Actually they can, at least for a short period of time. We sometimes overide domain policies by changing the local policy which allow us to perform some tasks until the domain policy kicks in again which is usually set by time. Domain policies can be set to update periodically or when a user logs off then on again. In between these times, the local policy can be changed otherwise the domain policy takes effect.

Jeffery Smith (Smitty)
PEC Solutions Inc.
BS - Computer Application & Networking
A+ Network+ MCSA MCSE

 

[sunil5]

But can they be overriden in the context that I talk about?

They I way I see it.. Local Policies should ONLY be in effect when you log on locally to the machine and domain level when you log on the domain (!)

Is it just me who thinks like this??

Thanks for the replies

 

[mrmoneymatters]

sunil5, local policies are not just for when you are logging on locally. GPOs are set at the ou, domain, and site level to effect many or at least multiple people or machines. Local policies are to affect just that machine, usually in high security areas or just unusual circumstances.

 

[mrmoneymatters]

not just for logging on locally" I should have said they affect the computer regardless of logging on to local machine or domain. It is computer specific.

 

[SmittyNMCI]

In a nutshell, if a machine is joined to a domain, the domain policy holds regardless of who is logged in or where. Login does not matter in this case so a locally logged on user will have the same policy applied as a remotely logged on person. Basically, mrmoneymatters is correct in that policies apply to the machine, not the user.

Jeffery Smith (Smitty)
PEC Solutions Inc.
BS - Computer Application & Networking
A+ Network+ MCSA MCSE