Local group policies vs. domain group policies

Discussion in 'Active Directory' started by jhardee, Aug 23, 2006.

  1. jhardee

    jhardee Guest

    Let's say I have a computer on the domain and there is a domain policy set to
    not allow me to view the Control Panel ("Prohibit access to the Control
    Panel" is Enabled). I log into the domain, the policy gets applied, and I
    can't view the Control Panel as designed.

    Then I disconnect from the domain and reboot the computer. On my computer,
    my local group policy has a setting to allow me to view the Control Panel
    ("Prohibit access to the Control Panel" is Disabled). Will I be able to see
    the Control Panel when I log in locally?

    Also, what if the domain policy is configured to Enabled but my local policy
    is set to Not Configured?

    In other words, do domain GPOs remain on the computer when the computer is
    not connected to the domain or do the local GPOs get reapplied upon every
    boot? I understand the precedence of GPOs, but not what "sticks around".

    Thanks,
    Jeff
     
    jhardee, Aug 23, 2006
    #1
    1. Advertisements

  2. Hi Jeff,
    If you log on locally then you will be able to see the control panel, even
    if you are connected to the domain. This is because the User Settings GPOs
    in the domain will not apply to local accounts. If you are logging in with
    a domain account while disconnected from the domain then yes the GPO will
    still apply as it is cached locally on the workstation.
    The setting is enabled for domain accounts. Local accounts on the machine
    will not be affected if this is part of the User Settings in Group Policy
    as this will not apply to local users.
    Domain GPOs are cached locally on the machine and will continue to apply
    when disconnected from the network. Naturally any GPOs that rely on a
    resouce on the network such as Software installation will fail when off the
    network.

    Hope this helps,

    Brian Delaney
    Microsoft Canada
     
    Brian Delaney [MSFT], Aug 24, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.