GPO Cache and Credential Cache

Computer Name = PC1 ; If PC1 is a domain member of Domain named "ABC.local" .
"John" = Domain User Name

After John join PC1 to Domain "ABC.local" and successfully logon to domain. After the first time logon to domain ABC.local , there are Domain Cache Credential for John stored in PC1's hard disk . Similarly , there are also a cache copy of  GPOs that link to PC1 also store in PC1's Hard Disk .

So, when anyone power up the PC1 , there are 2 types of GPOs are apply to this PC1. There are Local Group Policy and GPO (domain level ) , both apply to PC1 even the Dc is not available .

If there is any conflict between Local Group Policy and GPOs , then the PC1 will take GPOs . ( GPOs override Local Group Policies)

I like to know if John logon to domain by using PC1 , would GPOs that link to John will be cached on the PC1 ??  ( question#1)

Once John is logon to domain ( through PC1) , would John's Local Group Policy plus GPOs , both , apply to John even Domain Controller is not avaliable  ??? (question#2) Or , only GPOs apply to John but not Local Policy ??(question#3)  or , both Local Policy and GPOs are NOT apply to John when DC is not available ????(question#4)
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Q1&Q2 - no.  Unless the SYSVOL is available, the domain GPOs don't get processed.

Q3&Q4 - local policies will apply even when off the domain.  Local policies also apply when on the domain, but domain GPOs override local policies if there are common settings to both that are configured.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mcsweenSr. Network AdministratorCommented:
Domain GPO do not cache at a computer or user level ever.  Once a policy is applied the settings may persist depending on what settings are being set by the GPO but this does not mean the policy is cached.  Some information may be cached like how to reverse a policy.  This info is stored locally because when a GPO is deleted from the domain level and no longer applies to the client, the client must know how to reverse the settings.  Since the GPO was deleted the only place to learn how to reverse it is from the local reverse settings.

Local Policies are always processed regardless of whether you are connected to the domain or not.  If 2 settings conflict between a Local Policy and a Domain Policy the domain policy will always take precedence.

If you are concerned with offline GPO processing you are going to want to define your policies on the client not at the domain level.  This can be accomplished through an easy file copy.
kcnAuthor Commented:
Hi Experts ,

That's mean when John logon to domain , but at that time the Domain Controller is not available , there are no GPOs apply to John ???? (question#5)

When the DC is not available , but when John logon to Domain (Logon to domain by using the Cache Credential), only LOCAL Group Policy is applied to John ??? ( question#6 )  
Question 5: correct.  Unless there are registry based policy settings in the GPO, then no element of the domain gpo will apply to John.  If there are registry based settings, then those settings remain in the state they were last set to by the GPO.

Question 6:  correct.  Local policies will always apply since they are local to the pc.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.