1

I want to enforce local GPO settings on specific servers so that the domain GPO does not overwrite them. These systems were hardened specifically, but due to way too many issues to list, we cannot change the OU they are in, and cannot change the domain GPO at this time.

Is there any way to ensure that the changes made to the local GPO are not overwritten?

appsecguy
  • 209
  • 2
  • 5
  • 2
    If this were possible, then almost anybody could override domain security and make a complete security nightmare of your corporate network. I certainly hope to find out that this isn't possible. – Michael Hampton Jul 08 '15 at 02:22
  • To clarify - is there a way, from the domain, to change the priority for a specific system without having to change the OU? So you would need to be a Domain Admin anyway in order to set that priority order – appsecguy Jul 08 '15 at 02:27
  • What do you mean `change the priority for a specific system`? Priority of what? – joeqwerty Jul 08 '15 at 02:35
  • 2
    I would suggest that you create a AD group that contains all the systems you are talking about. Then make a domain based GPO and assign this to the OU and scope it to the created group of computers (security filtering). – ZEDA-NL Jul 08 '15 at 10:16

2 Answers2

1

Yes, you can set the policies in a Domain GPO and make it enforced. Then use GPO masking - add all the servers in question to a group & only allow that group read access to the new GPO.

This assumes they are all Computer settings, if you need User settings to get applied you may want to look at using a loopback.

TheFiddlerWins
  • 2,999
  • 1
  • 15
  • 22
0
  1. Create new group in AD
  2. Add those servers to newly created group
  3. In security tab of domain GPO set read permissions to "deny" for newly created group
strange walker
  • 592
  • 3
  • 10