[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3919
  • Last Modified:

how do I make Group policy override local group policy?

I have mostly windows XP clients and one managent station that I use with Windows Vista Enterprise in a Windows 2003 network environment.

I wanted to prevent a specific user from deleting their browsing history, so I applied the local group policy on her windows xp machine because the setting for preventing a user from being able to delete their history was not available on the windows 2003 server.

Then I remembered that my windows vista enterprise system would allow me to set the same delete history browsing policy without having to go to the user's system.

I thought group policy was supposed to overrride local group policy, but after running rsop from vista it shows that the user's local group policy was the winning gpo even after making the enforced.

Can some one tell me how I can make the group policy override the local group policy.

Thanks
0
clcurri
Asked:
clcurri
  • 10
  • 4
  • 2
  • +5
7 Solutions
 
zelron22Commented:
Group policy overides local policy on a machine that is a member of a domain, in an OU or container that has a policy applied to it, and the machine is a member of a group that has apply policy permissions.
0
 
crawforditsCommented:
To disable Local Group Policies processing in Vista, perform the following steps:

1.  Open the Group Policy Management Console from a Vista computer by typing Gpmc.msc in the Search field on the Start menu.
2.  Within the GPMC window, find the Group Policy Object (GPO) that is linked to the Organizational Unit in which the Vista computers are located.
3.  Right click the GPO and selecting Edit.
4.  In the GPO Editor window, scroll down to Computer Configuration | Administrative Templates | System | Group Policy.
5.  In the right pane double click the Turn off Local Group Policy objects processing option.
6.  Click Enabled.
7.  Close the GPO Editor.
0
 
nappy_dCommented:
I think it is the other way around.  local Policy overrides all other policies.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
clcurriAuthor Commented:
Thanks for the responses.

crawfordits:

it says that the requirements are Windows Vista, the user's system is a Windows XP system. I tried the setting regardless, but it doesn't look like the windows xp system accepted the setting.

Is there something else I should try?
0
 
snusgubbenCommented:
The group policy processing is processed by your DCs. If there is a seting that ain't supported on 2003 it can't apply it. Hence the local policy is set.

1. Local policies are processed first, then
2. forest
3. domain
4. OU
5. Sub OUs
0
 
crawforditsCommented:
Right each one overriding the previous
0
 
AmericomCommented:
Group policy settings are applied in the following order:
(Local, Site, Domain, then OU)
Parent OU group policies are applied before child OU group policies. Policies applied later will overwrite policies applied earlier unless the No Override option is enabled on a GPO link.

Not sure SP level is your Windows XP, if you don't have SP3, you may want to upgrade to SP3 as some GPO can only manage by Vista or Windows 2008 works for Windows XP SP3 only such as wired-auto configure GPO. But I can't be sure regarding the  browsing history part.
0
 
chrishudson123Commented:
The Domain local policy always override the local policy.In your scenario I hope you just configured local policy and didn't do any thing in Domain/OU level.It looks like there's no policy defined for  this purpose in domain/OU level.Explicitely configure the GPO settings as Ur req in Domain/OU level.Do security filtering if needed
0
 
clcurriAuthor Commented:
So if I can't make my group policy override the local group policy I set on the user's system, is there anyway to access their local group policy or do I have to be at the system either physically or through remote desktop in order to access the systems local grou policy?

Also how do I explicitly configure the GPO settings as Ur req in Domain/OU level?
0
 
clcurriAuthor Commented:
Okay if anybody is still helping, I think I figured out part of my problem. Using remote desktop I disabled the settings of the "local group/computer policy" to try and make the organizational unit and the gpo I created under that OU work and it did not work after doing many updates using the free gpupdate software tool from specops and doing many restarts and updates using remote desktop.

I then noticed none of the GPO's I created under any OU ever got applied but all the GPOs that are located directly under my domain name are being applied.

So there has to be some reason the GPOs created under OUs dont get applied, can some please assist?

Thanks
0
 
clcurriAuthor Commented:
Im not sure if this is the way the GPOs are supposed to work but I created a new GPO right under the site (we only have one) domain.local. And I applied security filtering like chrishudson123 suggested and the GPO was applied and it overrided the local computer policy that I set on the windows xp system itself.

But my only question is why wont the gpo apply when I apply it to an Organizational Unit regardless of if the OU has security filtering or not?
0
 
Netman66Commented:
Okay, I'm here to assist.

First off, let's clear up a few things I'm reading in this thread before too much is changed.

1)  Local Group policy has the LOWEST priority of all policies.  Any other policy setting defined in any other GPO that affects the asset will over-ride the local policy.
2)  Order of processing (by default) is: Local, Site, Domain, OU.  For OU policies it starts from the furthest OU from the object (the parent) and applies GPOs from there down to the closest OU in that order.
3)  Group Policy Objects cannot be linked to default containers in AD - this means Computers, and Users are NOT OUs and therefore cannot be used to set policies on.  
4)  Unless Loopback Processing is involved, GPOs are CUMULATIVE in nature - this means that unless the exact same policy element is set on two or more policies then there will never be a conflict and therefore the settings from each policy will simply apply in a layered fashion.

What I think you have going on is either point 3 above, or something in DNS is missing so Group Policy cannot be processed because the client cannot locate the Service Record.

Now, what you need to do is run a GPRESULT /V > C:\gpresult.txt on this client workstation (from the console) and attach it to this post.  When I see this, I will have a better answer for you.
0
 
clcurriAuthor Commented:
Thanks for all the great information, I attached the gpresult file. I also moved the computers and users from AD containers to OUs a few years ago. I am also using group policy management from windows vista and windows server 2003. Hopefully this information helps.

I also ran the commands you suggested remotely which were:

gpresult /S phobos09238 /USER isoto /V > c:\
gpresult2.txt
0
 
Netman66Commented:
I don't see the file.

I don't want you to run them remotely, I need the output in verbose for both Machine AND User.  RDP to this box using the -console switch and gather the info if you can't log into the physical machine in front of you.

Thanks.
0
 
clcurriAuthor Commented:
Ok, Ill run the command locally when the user goes isn't on the system. I'll try my best to get the information to you when the user has some downtime.

Here is the file I was trying to attach until I can get you a file that was run locally.
gpresult2.txt
0
 
clcurriAuthor Commented:
Sorry about the delay, I was able to get the local gpresult, please see the attached file.
gpresult.txt
0
 
Netman66Commented:
Ok, I see the domain mode at Windows 2000.  Do you have any Windows 2000 Domain Controllers anywhere?  If not, you may be able to move Forest and Domain functional levels to 2003.

As for the IE7 policy, I see it applying - the Computer section of the AD policy is disabled but the User section is applying.  If the local policy has a setting for IE made within the Computer section of the policy then the AD GPO won't change any setting made in that section since it's disabled (I don't see anything set there, but you'll need to confirm).

You may need to install both the Client-side Group Policy preferences add-ins and (maybe) the new ADMs from Vista (or the server's copy).  Keep in mind, if these were made in an ADMX file they will not apply to an XP machine since they do not understand the ADMX templates (only ADM).


0
 
clcurriAuthor Commented:
I don't have any windows 2000 domain controllers so I don't understand why the mode is showing that its at the windows 2000 functional level. I confirmed in Active Directory Domains and Trusts mmc and my functional level is at the highest level which is windows 2003 there.

Also there is nothing set for the computer section so thats correct. But does the gpresult explain why none of the Organizational Units work?

Thanks
0
 
clcurriAuthor Commented:
I meant does the gpresult show why the gpos dont apply when I link them to an OU?
0
 
Netman66Commented:
They are applying.  I'm just not sure why it isn't apparent as the user.

Internet Explorer is one of those apps from hell that should be pretty simple to set policy on, but never seems to work the way you expect or want it to.

0
 
clcurriAuthor Commented:
thanks
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 10
  • 4
  • 2
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now