[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Group Policy for Local User

Posted on 2009-04-30
25
Medium Priority
?
390 Views
Last Modified: 2012-05-06
I'm deploying a few laptop users.  The issue I'm struggling with is how to apply group polcy settings.  When there connected to the domain in the office there is no problem all the gPO will be applied via the domain GPO.  The issue is when there out of the office and log on localy.  I could create local group policy object to set the policies I need localy.  my concern is that since the local processes beofre the domain when the user is logged onto the domain polices will be set from the local policy that I'm unaware of.  Here the question I have if a policy is set to enabled via local and the domian gpo is set to not configured what is the net effect?  Its ashame there's not policy setting to prevent the processing of local GPO's.  What is my best approach to this scenario?
0
Comment
Question by:georgedschneider
  • 11
  • 9
  • 2
22 Comments
 
LVL 18

Expert Comment

by:Americom
ID: 24271503
Local policy will apply first then domain policy. If you have a configuration set in a local policy and the same configuration is set to "not configured" thent the net effect would be the configuration from the local policy.
0
 

Author Comment

by:georgedschneider
ID: 24271548
so how do I prevent the local polices from taking effect when the user is loged onto the domain?
0
 
LVL 18

Expert Comment

by:Americom
ID: 24271821
You need to the same configuration on the Domain policy to override the local policy configuration.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 24272036
or if you already have the policy set at the local level you don't really need to set it again at the domain level.  If you do Americom is right the domain level policy is what is applied.  
I've seen some places deploy local policies with their laptop images for the reasons you mention.
That is the famous LSDOU acronym
Local policies are applied first then Site Policies then Domain and then OU
http://technet.microsoft.com/en-us/library/dd277394.aspx
What policies are you setting?
Thanks
Mike
0
 

Author Comment

by:georgedschneider
ID: 24272683
Various settings fro desktop settings, appearchce, IE configurations, etc
0
 

Author Comment

by:georgedschneider
ID: 24314711
Here's my thought since they are in the office connecting to the domain a majority of the time apply the corporate GPO's through active directory would be sufficent.  For the rare circumstances that they are not connected I could create a local GPO that is the exact mirror of the active directory GPO's.  WOuld I have have to do this just for user polices or would I need ot create it for the compuer polices as well?
0
 
LVL 18

Expert Comment

by:Americom
ID: 24315337
I don't believe that's a good reason to play with local policies unless the machines in question ar not domain member machines or domain member machine wants to have a separate set of polices from other machines. For the machines that are not connected, the GPO remain in effect, as long as it is applied to the machines once successfully.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24315432
Where I am now the local computer polices are part of the image, they do mirror the domain policies.   Most users do connect to the domain but the security group wanted it that way.
Thanks
Mike
0
 

Author Comment

by:georgedschneider
ID: 24327491
In response to Americon's postwouldn't the GPO only for computer policies be applied and when the user logs onto the domain.  The user polices would not apply for the local user unless I'm mistaken.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24328067
If we are talking about user configuaration GPO, it affect domain users, not local user account created locally on a domain member computer. But I thought you are talking about domain users logged to a domain member computer whether the computer is connected to the network or not. As long as the computer was in the domain and the domain users have logged on previously and GPO applied, the confiugration still in effect even later the domain user logon to the same computer that is not connected to the network. I'm not refering to non-domain user... Of course, don't expect  every GPO behave this way as sometime it really depends on the type of GPO configuration and settings etc. Are you referring to local user or domain user?
0
 

Author Comment

by:georgedschneider
ID: 24328091
both actualy.  I trying to figure ou what to do with our laptop users who log onto the domain when there in the office and will log on locally when out of the office.  I'm trying to determine the best solution with regards to GPO.
0
 
LVL 18

Accepted Solution

by:
Americom earned 2000 total points
ID: 24329537
May be "logon locally" is not the correct term used in here? if it is then in your case you are having user to logon to the computer with two different user accounts, one domain and one local account. I don't think that's what you are referring unless you want to manage both AD account and local PC account...users would not like that idea most of the time... If that's not what you were referring to, then we are talking about domain account only here, whether the user logged on while the computer is connected to the network(domain) or not. Like when it is not, then user still logon to the computer with the domain user account via the locally cached credential(this is not the same as logon locally), in this case, GPO still apply. If you are talking about local user account, it is not the same logon as with the domain account, so in general, if you are configuring the same user configuration on the local GPO as the domain, it affects only local user account, not domain user account. But if the user logon with the domain account, even the computer is not connected to the network, the configuration still in effect.
0
 

Author Comment

by:georgedschneider
ID: 24358996
Ideally I don't but I've had a domain account for them to use when their in the office and a local account when thier off site or at home to log on.  When loggin on with cached credentials is the user still limited by account restrictions?

0
 

Author Comment

by:georgedschneider
ID: 24359009
By accoutn restrictions I'm referring to restricitons such as the logon hours for the domain account.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365323
in your case, you do not need to worry about using the local account just for the restriction you mentioned above. The domain account policy only control if the user will be disconnected or logged off when accessing network resources or attempt to logon to the domain and validate the domain user account properties settings. For example, if the domain account properties settings is configured no logoon before 8am and after 6pm. When a user try to logon after 6pm, the logon process will contact the domain controller to validate the settings of the domain user account properties. If contacted, and based on the settings, it will not allowed to logon. If the user machine is not connected to the network and the user is trying to use the same domain account to logon to the machine with the cached credentials, and no domain controller will be available, the user will have no problem to logon to the machine. Afterall, the domain user account settings is not a part of the account policy. It is only the settings of the account properties. Only the "Disconnect clients when logon hours expire" or the "Force logoff when logon hours expire" are the settings of account policy. Therefore, if the domain user account properties cannot be verified by the domain controller, these settings has not effect.
0
 

Author Comment

by:georgedschneider
ID: 24388981
If I'm understanding everythign correctly that using cached credentials is probably the best method and it avoids having to manage multiple account.  With cached credentials the user can log in and the domain group policy settings will be set as long s as the user has conencted to the domain and logged in at least once.  With cached credentials a user can log in with the last several passwords of a successful logon.  If I used a local account it can get a little complicated between local and domain polices.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24389033
definitely stay away from local account for user, it will make things more complicated and confuse for both admins and end users.
0
 

Author Comment

by:georgedschneider
ID: 24390072
The only case to use a local account for a remote user would be if he's only in the office once every quarter and never really logs onto the network over than the occasionl office visit.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24390335
Even that you should still use domain user instead of local user. Unless the user never never needs to access any domain resources. As long as the user's computer is a member of the domain, user should use domain account. Local user on pc or server are usesful when comes to security, like a consultant comes from outside and need to install application on PC or servers where you do not want to create a domain user account that by default have many domain resources opened by default.
0
 

Author Comment

by:georgedschneider
ID: 24425003
My question with this would if the user is only connected one a quarter he'd have to remmeber both the cached password and what the actual password would be since he can still connect via VPN to access resources such as email.
0
 

Author Comment

by:georgedschneider
ID: 24600695
If a user logs on using cached credentials sincethe network is obviously not available and created a word document on their desktop is this copied up to their roaming profile when they reconnect to the network as part of the profile syncronation process?
0
 
LVL 18

Expert Comment

by:Americom
ID: 24603664
If the user save a doc on the desktop while not connected to the network, it only save to the local profile. When the user have access to the network and logon to the domain, the saved file still in the local profile and it will get save to the roaming profile upon the user's next logoff while connected to the network. The only time you don't get to save to the roaming profile is when it is configured as mandatory roaming profile.

Regarding the cache password and when the user is working on VPN for a a few month while domain password has expired, this will depend on your VPN client. Let say if you use the Nortel VPN client, you have options for logoff and logon etc. While the user is not physical at work, user logon with the cache password then start the VPN and connected to the network. If the domain password is different than the locally cached password, the user will not be able to access domain resources. But if the helpdesk has reset the password and inform the user, the user can logoff while connected to the VPN then logon with the new password while connect to the VPN. Logging off does not disconnect the VPN, as long as you don't reboot the machine.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
MS Outlook undoubtedly is the most widely used email client.Its user-friendliness, cost effectiveness, and availability with Microsoft Office Suite make it the most popular email application.  Its compatibility with Microsoft applications like Exch…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question