1

Will group policy configurations applied locally through gpedit override domain GPOs until next GPO refresh interval?

I know that Domain GPOs takes precedence over locally defined GPOs (gpedit), since both of these are applied, when the user logs in.

However, will local policy changes through gpedit override domain GPOs until they are refreshed next time?

The refresh rate is controlled through the group policy:

Computer Configuration > Administrative Templates > System > Group Policy: Turn off background refresh of Group Policy

Furthermore, is it possible to permanently disable the automatic refreshing of GPOs? I can only find a setting that disables it until the user logs off.

Shuzheng
  • 419
  • 1
  • 8
  • 15

2 Answers2

0

The short answer is "No". The reason for this is due to how the Group Policy order of precedence works. Local policy has the lowest precedence and therefore will be overridden by any settings configured in domain policies applied later.

With that said, anyone with local admin rights can override individual Group Policy settings via the registry. The setting will get put back each time policy processing occurs, but the damage is already done. This is why you must limit who you give local administrator privileges to and audit changes to critical areas of the registry. It's even possible for non-admin users to override user policy settings.

While it may be possible to disable domain GPO processing, I would not recommend or discuss it here. This puts the domain computer into an unhealthy state and would be extremely irresponsible. Any issues with domain policy should be handled at the domain level.

twconnell
  • 902
  • 5
  • 13
  • But if domain policies have already been applied, why does edits using `gpedit` don’t override the domain policies? Is it because Windows checks that the policy to be overridden came earlier from the domain? – Shuzheng Feb 22 '20 at 12:06
  • The key factor in either situation (registry or gpedit) is having local admin access on the host. Anyone with this level of access can override domain policy settings. The Group Policy editor GUI may 'disable' editing of settings already set by domain policy, but there are ways around that. It is unclear what the problem is you are trying to solve. If you don't want users bypassing domain policy, then do not give them admin access, and monitor for those who try to elevate their rights. – twconnell Feb 23 '20 at 13:13
-1

No, because if a setting is managed by Group Policy, it will not be configurable in Local Policy.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • So, I won’t be able to see that setting in `gpedit`, or what do you mean? Can I change the Group Policy through registry using local administrative privileges? – Shuzheng Feb 18 '20 at 16:06