Cannot disable group policy inheritance from domain

Question

At work, my computer (Windows 10) is part of a local domain.

I added a few local group policies, and after noticing they were not being applied, I ran gpresult /H gp_report.html and it returned:

INFO: The user does not have RSoP data.

After running gpupdate /force I found that the file at \\[domainname.local]\sysvol\[domainname.local]\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini was corrupt because of a ransomware attack a while ago.

For the time being I replaced the file with a clean copy, and after gpupdate /force my policies are working. But I'm wondering whether and how I can disable the domain policies, so that only local policies are applied, while still having my PC connected to the domain.

I installed Remote Server Administration Tools in order to attempt the process outlined here (disable Group Policy object inheritance), but upon launching gpmc.msc I get an error stating:

The specified domain either does not exist or could not be contacted.

I can click "Choose a different domain controller" and two domain controllers are listed, but selecting either of them loads an empty tree.

Also tried Set-GPinheritance -Target "dc=[domainname.local]" -IsBlocked Yes according to this reference but it returns:

Set-GPinheritance : The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B)

[TL;DR] Currently at a loss. I want to disable the inherited group policies while still being connected to the domain. But my attempts have so far failed. Can it be done?

Note: For answers, please assume that any local policy will not work (as if I had not fixed the domain server policies).

Thanks.

*You should be able to configure any local policy that isn't configured at the domain.* However, any policy enforced by the domain, cannot be overridden by a local policy. It does not make sense to enforce only local policies if you are connected to a domain which has policy enforcement enabled. — Ramhound, Jan 15 '19 at 17:51
@marsh-wiggle still no good, same error. I did manage to change the error message by passing `-Server "[servername]"`. Now it returns _"A referral was returned from the server. (Exception from HRESULT: 0x8007202B)"_. — Marc.2377, Jan 15 '19 at 19:16

score 0 · Answer 1 · answered Jan 15 '19 at 19:10

You can disable background refresh - Through gpedit.msc, Computer Configuration -> Administrative Templates -> System -> Group Policy. Set Turn off background refresh of Group Policy to Enabled.

Also, you can clear items from the Policies folders under HKCU/HKLM Software\Policies and HKCU/HKLM Software/Microsoft/Windows/CurrentVersion/Policies and set permissions on the key to 'Read' for any accounts listed with greater than that.

score 0 · Answer 2 · answered Jan 15 '19 at 19:22

0

You seem to have another problem, your default domain policy seem broke if your console is empty, you will have to reset your GPO. Got a backup ? (or you are not an domain admin ?)

dcgpofix /ignoreschema /target:Domain

The default domain policy is enabled by default for all computer object, but it set only password option and such.

Blocking the inheritance from an OU is the valid way to do it, so I think you got a corruption in your SYSVOL policy's folder.

answered Jan 15 '19 at 19:22

yagmoth555

16,758
4
29
50

Thanks. I'm not the domain admin; he is currently on vacation and won't be around for another week. The domain server is indeed faulty, thus I was left wondering if I can remove the link so that my local policies will work. – Marc.2377 Jan 15 '19 at 20:06

score 0 · Accepted Answer · answered Jan 15 '19 at 23:43

0

I found that passing the -Server parameter to the powershell cmdlet makes it work. However, running Set-GPinheritance -Target "dc=[domainname.local]" -IsBlocked Yes didn't fix my broken local policy issue.

So I took the steps listed below from PowerShell as admin:

(Get-GPInheritance -Target "dc=[domainname],dc=local" -Server "[servername]").GpoLinks | foreach-object {echo $_}

This will return a list like the following:

Take note of the GpoId property. Now run:

Set-GPLink -Guid "[GpoId from previous step]" -Target "dc=[domainname],dc=local" -LinkEnabled No -Server "[servername]"

After that, running gpupdate.exe /force works correctly.

References:

Set-GPLink and GroupPolicy module (Microsoft Docs)

answered Jan 15 '19 at 23:43

Marc.2377

227
2
15

Blocking inheritance at the top level of the domain won't do anything, since there's nothing higher up to be blocked. You'd have to block it on the OU your machine is in. – Harry Johnston Jan 16 '19 at 02:03
@HarryJohnston I don't follow. In any case, the idea was to configure my local machine not to inherit any policy from the domain controller (because the DC's policies are broken). The steps I listed above worked; the inheritance is now shown as `Enabled: False` and my local policies are working. Have I done anything wrong? – Marc.2377 Apr 22 '19 at 23:57
If I'm following the steps in your answer correctly, you've disabled all the group policy links in the domain, which will certainly stop the group policy from taking effect. Note however that this change affects all machines in the domain, not just your machine. My comment was trying to explain why your first attempt (using Set-GPInheritance) didn't work. You seem confused about inheritance; a machine doesn't "inherit" policies from the domain, policies are inherited between OUs. – Harry Johnston Apr 23 '19 at 01:14
... blocking inheritance on an OU only affects policies that are from higher up in the tree, it doesn't affect the policies linked to that OU. At the top level of the domain, there are no policies from higher up in the tree, so blocking inheritance does nothing. – Harry Johnston Apr 23 '19 at 01:26

Cannot disable group policy inheritance from domain

3 Answers3