Our forums are currently in maintenance mode and the ability to post is disabled. We will be back up and running as soon as possible. Thanks for your patience!

General discussion


Group Policy

By KingOfTheNerds ·
Hi All,

I just wanted to know how can I make a windows 2003 domain policy apply to workstations local user accounts.

E.g. I have set a rule on the domain controller that doesn't allow users to see C: drive. But when I log in locally on a client machine under administrator I can still see C: drive even though the local group policy has the option 'not configured'.

How can I make the domain policy overide the local policy?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by dw_ay In reply to Group Policy

A domain policy is used to all computers or users who log on to domain not locally log on. Locally you should configure the appropriate local policy. If only prohibit a drive to a specific user use the ntfs security permission on that drive

Collapse -

by dw_ay In reply to

by default GPO domain first is used and you can set on properties of domain GPO set to No Override, this setting will prevent another policy to override the domain GPO

Collapse -

by dw_ay In reply to

actually there are still many security methods not only GPO, physical security is sure, a good practise don't log on as administrator or its member if it is not required. For account policies like password complexity and lockout in domain will be applied uniformly and can't be overwrite by any other GPO like OU or local GPO (as long as comptr/users in domain). By default hierarcy of GPO from lower to higher priority (any conflict rules solved by select the higher priority) is site, domain, OU, and local, and could be set No override on these policies or Block Policy inheritance on specific OU. And if I have setup a GPO in server then should not be changed on XP, any changes should do on server too.

Collapse -

by sgt_shultz In reply to Group Policy

I have no experience whatsoever in this area but when has that ever stopped me?
are ANY of the group policy restrictions taking effect? or some and not others.
one thought is perhaps one should ban adminstrators from logging on locally? could this kind of thing be why there is the saying 'no security without physical security'
and did you see this one:
Group Policy that you edit in Windows XP does not work in Windows 2000;en-us;837166

Collapse -

by John-A In reply to Group Policy

It is not a recommended 'best practice', but if you need to be sure your default domain policy settings are not affected by any later policies, you can right click on it in gpmc and check off ENFORCED. With Enforce on, even a change on the local machine (gpedit.msc) that directly conflicts with the ENFORCED Domain Policy will simply be ignored.

Collapse -

by KingOfTheNerds In reply to Group Policy

This question was closed by the author

Related Discussions

Related Forums