Hi Guys,

Got a quick question that I am sure someone can answer in
a few seconds. I am looking at using domain security
policy to lock internet explorer to use a local proxy
server so we can monitor web site accesses.

I am looking at using the domain policy for this, but some
of the users have local admin access on their machines so
they can change the local security policy. Which takes
precedence the domain or local?

I am pretty sure it would be the domain to specifically
avoid this issue but wanted to ask before I go down that
route.

Cheers

Ray

Domain policy always take precedence and overrides conflicting local
setting. In your case I would strongly suggest you not to change default
domain policy, but instead create a separate OU for your company and below
OU's for users and computers. Move your computer and user accounts there and
create a separate policy. Changing Default domain policy without knowing
what you are doing is playing with fire and I have seen too many admins
locking themselves out of domain.

Regards
--

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(E-Mail Removed), (E-Mail Removed)


"ray" <(E-Mail Removed)> wrote in message
news:aa1101c3ebd9$8a3beec0$(E-Mail Removed)...
> Hi Guys,
>
> Got a quick question that I am sure someone can answer in
> a few seconds. I am looking at using domain security
> policy to lock internet explorer to use a local proxy
> server so we can monitor web site accesses.
>
> I am looking at using the domain policy for this, but some
> of the users have local admin access on their machines so
> they can change the local security policy. Which takes
> precedence the domain or local?
>
> I am pretty sure it would be the domain to specifically
> avoid this issue but wanted to ask before I go down that
> route.
>
> Cheers
>
> Ray

The domain group policy will override the local policy.

"ray" <(E-Mail Removed)> wrote in message
news:aa1101c3ebd9$8a3beec0$(E-Mail Removed)...
> Hi Guys,
>
> Got a quick question that I am sure someone can answer in
> a few seconds. I am looking at using domain security
> policy to lock internet explorer to use a local proxy
> server so we can monitor web site accesses.
>
> I am looking at using the domain policy for this, but some
> of the users have local admin access on their machines so
> they can change the local security policy. Which takes
> precedence the domain or local?
>
> I am pretty sure it would be the domain to specifically
> avoid this issue but wanted to ask before I go down that
> route.
>
> Cheers
>
> Ray

Hi Matjaz,

Thanks for that advice, doing that as we speak.

Cheers

Ray
>-----Original Message-----
>Domain policy always take precedence and overrides
conflicting local
>setting. In your case I would strongly suggest you not to
change default
>domain policy, but instead create a separate OU for your
company and below
>OU's for users and computers. Move your computer and user
accounts there and
>create a separate policy. Changing Default domain policy
without knowing
>what you are doing is playing with fire and I have seen
too many admins
>locking themselves out of domain.
>
>Regards
>--
>
>Matjaz Ladava, MCSA, MCSE, MCT, MVP
>Microsoft MVP Windows Server - Active Directory
>(E-Mail Removed), (E-Mail Removed)
>
>
>"ray" <(E-Mail Removed)> wrote in
message
>news:aa1101c3ebd9$8a3beec0$(E-Mail Removed)...
>> Hi Guys,
>>
>> Got a quick question that I am sure someone can answer
in
>> a few seconds. I am looking at using domain security
>> policy to lock internet explorer to use a local proxy
>> server so we can monitor web site accesses.
>>
>> I am looking at using the domain policy for this, but
some
>> of the users have local admin access on their machines
so
>> they can change the local security policy. Which takes
>> precedence the domain or local?
>>
>> I am pretty sure it would be the domain to specifically
>> avoid this issue but wanted to ask before I go down that
>> route.
>>
>> Cheers
>>
>> Ray
>
>
>.
>