Is there any built in way in GPO that can reset the Local group policy to defaults on startup.

bsharath
bsharath used Ask the Experts™
on
Hi,

Is there any built in way in GPO that can reset the Local group policy to defaults on startup.

Active directory 2003

Regards
sharath
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013

Commented:
Not that I know of but anything you set at the site, domain, or OU level will win/override the local GP setting.
Thanks
Mike
There are no built-in ways to do this. Some settings will revert to previous states, but only in specific circumstances.

Author

Commented:
Ok say the use has local administrator rights on his machine and he changes some settings in the local policy. Now how can i set it back to default. Via GPO or a startup script...
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Best way is to use gpedit.msc and change the setting back to "Not Configured" or whatever the default is.

You could do this with a GPO, but it would require you to set all the settings (or just the ones you're concerned with) and apply it to the system within an OU or using a scope filter.

Author

Commented:
Or is there any way to set deny permissions for the Local group policy change
Like deny the ability for an Administrator to change local policy? Group policy refreshes every XX amount of minutes (this is also a configurable policy) so that setting change will be overridden in a matter of minutes by the group setting. You could block the gpedit snap-in from being run in the MMC, which would protect the policies from being changed on a temporary basis.

Author

Commented:
>>You could block the gpedit snap-in from being run in the MMC
How can i do this
In the Group Policy Management Console, create or edit a new user policy. Navigate to:

User Configuration > Administrative Templates > Windows Components > Microsoft Management Console > Restricted/Permitted Snap-Ins > Group Policy > Group Policy Object Editor

Change this setting to "Disabled"

You can also just permit only specific MMC snap-in consoles, which may be best for most situations.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial