Re: Exempting a Computer from Application of Group Policy?!

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/06/04

Next message: Joshua Beaumont: "User defined security options"
Previous message: Steven L Umbach: "Re: ANONYMOUS LOGON without logoff"
In reply to: David: "Exempting a Computer from Application of Group Policy?!"
Next in thread: W2K_Admin: "Re: Exempting a Computer from Application of Group Policy?!"
Reply: W2K_Admin: "Re: Exempting a Computer from Application of Group Policy?!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 06 Apr 2004 21:16:11 GMT

User configuration for Group Policy will not apply to local accounts, so if a user
with local admin credentials creates a local admin account for themselves, then if
they logon with that account they will not have user configuration applied to them.
Computer configuration for Group Policy will apply regardless of if domain or local
user logs on to the computer UNLESS the local administrator removes the machine from
the domain. He could do that and then later add it back to the domain up to ten times
by default unless the authenticated users group has been removed from the add
workstations to the domain user right for Domain Controller Security Policy. A local
admin could also remove a machine from the domain and leave it in it's own workgroup
and still be able to access resources while avoiding Group Policy from the domain by
logging onto the local machine with an account that exists in the AD domain as long
as the password is correct assuming that no ipsec policies are enabled to require
access to domain resources. --- Steve

"David" <anonymous@discussions.microsoft.com> wrote in message
news:1095A58C-72D2-4C6A-9278-6DFADE39BF5B@microsoft.com...
> Can someone with local Admin rights prevent Domain Group Policy from being applied
to their Computer?
>
> How?
>
> Thanks.
>
>

Next message: Joshua Beaumont: "User defined security options"
Previous message: Steven L Umbach: "Re: ANONYMOUS LOGON without logoff"
In reply to: David: "Exempting a Computer from Application of Group Policy?!"
Next in thread: W2K_Admin: "Re: Exempting a Computer from Application of Group Policy?!"
Reply: W2K_Admin: "Re: Exempting a Computer from Application of Group Policy?!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Exempting a Computer from Application of Group Policy?!
... and you can then create a new GPO. ... >User configuration for Group Policy will not apply to ... >with local admin credentials creates a local admin ... >they logon with that account they will not have user ...
(microsoft.public.win2000.security)
Re: Setting permissions for created accounts
... Setting group policy to work with actual groups :-) requires Active ... Configuration and User Configuration and is equivalent of changing HKLM and ... > account, I want it to be a limited account, when I use ... I get the settings how I like, ...
(microsoft.public.windowsxp.security_admin)
Re: Preventing Users from removing their PC from the Domain
... I did find the user in the local admin group. ... you are logged on as a local administrator. ... account or a local account. ... Group Policy can be used to hide or remove access to ...
(microsoft.public.win2000.security)
Group Policy Pains
... Hi, I have a workgroup server at work, a group policy has been applied ... to this machine which has somehow locked down the administrator ... account from doing anything. ... going in as the local admin, but the local policy is also locked down, ...
(microsoft.public.win2000.group_policy)
Re: Unable to login to SBS Server
... Error 0x534 occurs when a user account in one or more Group Policy ... contact an administrator in the domain to perform ... Les Connor [SBS MVP] ...
(microsoft.public.windows.server.sbs)