"schmultzburger" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> So, a user with local admin rights can block ALL GPOs or just certain ones
> or can they "pick and choose"? And keep their machine on the domain?
>
> At the risk of sounding like I'm trying to get away with something, how is
> this done? Better yet, is there any way to block it short of removing
> local admin rights?
>
> Affecting certain settings post-GP an not having them reapply until
> restart/reboot makes sense, thanks.
>
> Thanks for the quick response,
> S-
>
If you give out local admin then all bets are off as to the state of
the machine and how it gets changed over time. Whether one can
change locally from a GPO defined settings depends on the settings.
For example, those that only set registry keys can be fooled with
by a direct edit of those key values. Just how to break all policy
application depends on the OS version to some extent, and becomes
quite different with Vista. In some configs just disabling the Help
and Support service has been seen to interrupt all AD base GP
from being applied. When one has tromped on a value set from
GP, just how long that will last depends on whether the settings
is a security extension setting or not, since security policies are
reapplied periodically whether they have been seen as changed
or not, whereas others can exist in their changed state for a very
long time if the GPOs carrying them are left unchanged.
> Roger Abell [MVP] wrote:
>> You cannot "enforce" local policy. AD delivered policy
>> always overrules what may be set in local policy.
>> Someone that has admin access to a machine can however
>> prevent all policy from being applied. Also, since much of
>> policy is applied when it is seen as having changed, settings
>> that only get reapplied in that fashion can be changed directly
>> if there is an available method to do so and those changes
>> will remain effective until the policy settings are reapplied.
>>
>> Roger
>>
>> "schmultzburger" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> I was told once by a naysayer that GP was worthless as long as a domain
>>> user had local admin rights because they could get around any settings.
>>> Other than removing a computer from the domain, the only way I can think
>>> of that this might be possible is by setting a LP that is counter to the
>>> GP settings and somehow enforcing the LP. I haven't found anything to
>>> either confirm or deny that this is possible. What I do read though is
>>> that LSD-OU applies with later policy settings overriding earlier ones,
>>> except for enforced settings. That says to me that IF you can enforce
>>> LP, it can always override GP. Can anyone here speak to this?
>>>
>>> TIA
>>>
>>> S-
>>
>>
>
>
|
Similar Threads
