0

Do local group policies apply to active directory users? Can you force the local policies (or registry keys) to apply to a domain user that has yet to long on to a machine without the use of the AD GPO? Is there a programmatic way to do this?

ztnd13
  • 13
  • 1
  • 4

3 Answers3

2

The simple answer is yes, local policies apply to all users on the machine. You should review the Microsoft Group Policy precedence carefully to understand how policies are applied.

With that said, there's rarely a good argument for using Local Group Policies in a domain environment.

Dan
  • 15,430
  • 1
  • 36
  • 67
  • I understand this. But we are managing the computers themselves. We have no control over the domain, so it's imperative that we force the local settings upon any user logging into the machine. – ztnd13 Nov 03 '16 at 13:27
  • "How do I make a manual transmission car shift automatically?" You don't. – longneck Nov 03 '16 at 15:25
  • Additionally group polices are applied every 90 minutes in the default configuration (See here: [Group Policy refresh interval for computers](https://technet.microsoft.com/en-us/library/cc940895.aspx) ) so even if you could force/manipulate local policies they could be overwritten again. – John K. N. Nov 10 '16 at 12:14
1

Domain Group Policies and Local Group Policies applied to computer in domain and to user in domain in following order:

  1. Local Computer Policy (low priority)

  2. Domain Group Policy (middle priority)

  3. Organization unit Domain Group Policy (strong priority)

For example: if you set some option in "1" and this option isn't set in "2" and "3" - this option will be applied to your computer.

But if you set some option in "1" and this option has already set in "2" or "3". Your option will overrided and "2" or "3" will be applied.

P.S. "3" will override "2" and "1" as well.

To check what parameters that your computer applied from domain your can press Win+R ("Run") and execute following command: rsop.msc

Vitalii Nesterenko
  • 26
  • 2
-3

By default, local group policies will (decide if they) win over the AD group policy, but be aware that AD group policy can be configured to win if it sets 

Computer Config>Admin Templates>System>Group Policy>Configure user Group Policy loopback processing mode

to disabled.

SoulkeepHL
  • 1
  • 1