GPO vs Application

What takes presedence in the event the Group Policy Object is configured one way and a Windows end user application is set a different.  

For example:
With in the Windows Settings/Security Settings/Security Options  the policy is configured to Smart Card Removal Behavior = Lock Workstation.

However

The Smart Card Middleware that resides on the desktop is is configured to Card Removal Behavior= Logoff

Does the GPO take presedence?
ebetancourthAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

aissimCommented:
Yes, the GPO should win out.

Policies are processed in the order of Local, Site, Domain, OU  (LSDOU) - any conflicting settings will be decided by the policy that processes last. So local will always lose out if it's configured elsewhere in the domain.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LauraEHunterMVPCommented:
I've not seen that specific scenario in action, but my bet would be that:

[a] The middleware would set the item in question
[b] GPO would overwrite the setting the next time it refreshes - every 90-is minutes on a member server or workstation

I'd have to mock something up in a test lab to confirm, but my hip shot is that you will wind up with non-deterministic behavior if you stay in that configuration.
0
LauraEHunterMVPCommented:
Sorry, aissim is correct.  I was thinking of a configuration item in some kind of Tools-->Options screen, not having the middleware configure that setting in local GPO.  domain-based GPO will always win out over local GP, as aissim indicates.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.