georgedschneider
asked on
Group Policy for Local User
I'm deploying a few laptop users. The issue I'm struggling with is how to apply group polcy settings. When there connected to the domain in the office there is no problem all the gPO will be applied via the domain GPO. The issue is when there out of the office and log on localy. I could create local group policy object to set the policies I need localy. my concern is that since the local processes beofre the domain when the user is logged onto the domain polices will be set from the local policy that I'm unaware of. Here the question I have if a policy is set to enabled via local and the domian gpo is set to not configured what is the net effect? Its ashame there's not policy setting to prevent the processing of local GPO's. What is my best approach to this scenario?
Local policy will apply first then domain policy. If you have a configuration set in a local policy and the same configuration is set to "not configured" thent the net effect would be the configuration from the local policy.
ASKER
so how do I prevent the local polices from taking effect when the user is loged onto the domain?
You need to the same configuration on the Domain policy to override the local policy configuration.
or if you already have the policy set at the local level you don't really need to set it again at the domain level. If you do Americom is right the domain level policy is what is applied.
I've seen some places deploy local policies with their laptop images for the reasons you mention.
That is the famous LSDOU acronym
Local policies are applied first then Site Policies then Domain and then OU
http://technet.microsoft.c om/en-us/l ibrary/dd2 77394.aspx
What policies are you setting?
Thanks
Mike
I've seen some places deploy local policies with their laptop images for the reasons you mention.
That is the famous LSDOU acronym
Local policies are applied first then Site Policies then Domain and then OU
http://technet.microsoft.c
What policies are you setting?
Thanks
Mike
ASKER
Various settings fro desktop settings, appearchce, IE configurations, etc
ASKER
Here's my thought since they are in the office connecting to the domain a majority of the time apply the corporate GPO's through active directory would be sufficent. For the rare circumstances that they are not connected I could create a local GPO that is the exact mirror of the active directory GPO's. WOuld I have have to do this just for user polices or would I need ot create it for the compuer polices as well?
I don't believe that's a good reason to play with local policies unless the machines in question ar not domain member machines or domain member machine wants to have a separate set of polices from other machines. For the machines that are not connected, the GPO remain in effect, as long as it is applied to the machines once successfully.
Where I am now the local computer polices are part of the image, they do mirror the domain policies. Most users do connect to the domain but the security group wanted it that way.
Thanks
Mike
Thanks
Mike
ASKER
In response to Americon's postwouldn't the GPO only for computer policies be applied and when the user logs onto the domain. The user polices would not apply for the local user unless I'm mistaken.
If we are talking about user configuaration GPO, it affect domain users, not local user account created locally on a domain member computer. But I thought you are talking about domain users logged to a domain member computer whether the computer is connected to the network or not. As long as the computer was in the domain and the domain users have logged on previously and GPO applied, the confiugration still in effect even later the domain user logon to the same computer that is not connected to the network. I'm not refering to non-domain user... Of course, don't expect every GPO behave this way as sometime it really depends on the type of GPO configuration and settings etc. Are you referring to local user or domain user?
ASKER
both actualy. I trying to figure ou what to do with our laptop users who log onto the domain when there in the office and will log on locally when out of the office. I'm trying to determine the best solution with regards to GPO.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ideally I don't but I've had a domain account for them to use when their in the office and a local account when thier off site or at home to log on. When loggin on with cached credentials is the user still limited by account restrictions?
ASKER
By accoutn restrictions I'm referring to restricitons such as the logon hours for the domain account.
in your case, you do not need to worry about using the local account just for the restriction you mentioned above. The domain account policy only control if the user will be disconnected or logged off when accessing network resources or attempt to logon to the domain and validate the domain user account properties settings. For example, if the domain account properties settings is configured no logoon before 8am and after 6pm. When a user try to logon after 6pm, the logon process will contact the domain controller to validate the settings of the domain user account properties. If contacted, and based on the settings, it will not allowed to logon. If the user machine is not connected to the network and the user is trying to use the same domain account to logon to the machine with the cached credentials, and no domain controller will be available, the user will have no problem to logon to the machine. Afterall, the domain user account settings is not a part of the account policy. It is only the settings of the account properties. Only the "Disconnect clients when logon hours expire" or the "Force logoff when logon hours expire" are the settings of account policy. Therefore, if the domain user account properties cannot be verified by the domain controller, these settings has not effect.
ASKER
If I'm understanding everythign correctly that using cached credentials is probably the best method and it avoids having to manage multiple account. With cached credentials the user can log in and the domain group policy settings will be set as long s as the user has conencted to the domain and logged in at least once. With cached credentials a user can log in with the last several passwords of a successful logon. If I used a local account it can get a little complicated between local and domain polices.
definitely stay away from local account for user, it will make things more complicated and confuse for both admins and end users.
ASKER
The only case to use a local account for a remote user would be if he's only in the office once every quarter and never really logs onto the network over than the occasionl office visit.
Even that you should still use domain user instead of local user. Unless the user never never needs to access any domain resources. As long as the user's computer is a member of the domain, user should use domain account. Local user on pc or server are usesful when comes to security, like a consultant comes from outside and need to install application on PC or servers where you do not want to create a domain user account that by default have many domain resources opened by default.
ASKER
My question with this would if the user is only connected one a quarter he'd have to remmeber both the cached password and what the actual password would be since he can still connect via VPN to access resources such as email.
ASKER
If a user logs on using cached credentials sincethe network is obviously not available and created a word document on their desktop is this copied up to their roaming profile when they reconnect to the network as part of the profile syncronation process?
If the user save a doc on the desktop while not connected to the network, it only save to the local profile. When the user have access to the network and logon to the domain, the saved file still in the local profile and it will get save to the roaming profile upon the user's next logoff while connected to the network. The only time you don't get to save to the roaming profile is when it is configured as mandatory roaming profile.
Regarding the cache password and when the user is working on VPN for a a few month while domain password has expired, this will depend on your VPN client. Let say if you use the Nortel VPN client, you have options for logoff and logon etc. While the user is not physical at work, user logon with the cache password then start the VPN and connected to the network. If the domain password is different than the locally cached password, the user will not be able to access domain resources. But if the helpdesk has reset the password and inform the user, the user can logoff while connected to the VPN then logon with the new password while connect to the VPN. Logging off does not disconnect the VPN, as long as you don't reboot the machine.
Regarding the cache password and when the user is working on VPN for a a few month while domain password has expired, this will depend on your VPN client. Let say if you use the Nortel VPN client, you have options for logoff and logon etc. While the user is not physical at work, user logon with the cache password then start the VPN and connected to the network. If the domain password is different than the locally cached password, the user will not be able to access domain resources. But if the helpdesk has reset the password and inform the user, the user can logoff while connected to the VPN then logon with the new password while connect to the VPN. Logging off does not disconnect the VPN, as long as you don't reboot the machine.