GPO Cache and Credential Cache

Computer Name = PC1 ; If PC1 is a domain member of Domain named "ABC.local" .
"John" = Domain User Name

After John join PC1 to Domain "ABC.local" and successfully logon to domain. After the first time logon to domain ABC.local , there are Domain Cache Credential for John stored in PC1's hard disk . Similarly , there are also a cache copy of  GPOs that link to PC1 also store in PC1's Hard Disk .

So, when anyone power up the PC1 , there are 2 types of GPOs are apply to this PC1. There are Local Group Policy and GPO (domain level ) , both apply to PC1 even the Dc is not available .

If there is any conflict between Local Group Policy and GPOs , then the PC1 will take GPOs . ( GPOs override Local Group Policies)

I like to know if John logon to domain by using PC1 , would GPOs that link to John will be cached on the PC1 ??  ( question#1)

Once John is logon to domain ( through PC1) , would John's Local Group Policy plus GPOs , both , apply to John even Domain Controller is not avaliable  ??? (question#2) Or , only GPOs apply to John but not Local Policy ??(question#3)  or , both Local Policy and GPOs are NOT apply to John when DC is not available ????(question#4)
kcnAsked:
Who is Participating?
 
Netman66Connect With a Mentor Commented:
Q1&Q2 - no.  Unless the SYSVOL is available, the domain GPOs don't get processed.

Q3&Q4 - local policies will apply even when off the domain.  Local policies also apply when on the domain, but domain GPOs override local policies if there are common settings to both that are configured.

0
 
mcsweenConnect With a Mentor Sr. Network AdministratorCommented:
Domain GPO do not cache at a computer or user level ever.  Once a policy is applied the settings may persist depending on what settings are being set by the GPO but this does not mean the policy is cached.  Some information may be cached like how to reverse a policy.  This info is stored locally because when a GPO is deleted from the domain level and no longer applies to the client, the client must know how to reverse the settings.  Since the GPO was deleted the only place to learn how to reverse it is from the local reverse settings.

Local Policies are always processed regardless of whether you are connected to the domain or not.  If 2 settings conflict between a Local Policy and a Domain Policy the domain policy will always take precedence.

If you are concerned with offline GPO processing you are going to want to define your policies on the client not at the domain level.  This can be accomplished through an easy file copy.

http://winforums.com/showthread.php?t=7640
0
 
kcnAuthor Commented:
Hi Experts ,

That's mean when John logon to domain , but at that time the Domain Controller is not available , there are no GPOs apply to John ???? (question#5)

When the DC is not available , but when John logon to Domain (Logon to domain by using the Cache Credential), only LOCAL Group Policy is applied to John ??? ( question#6 )  
0
 
Netman66Connect With a Mentor Commented:
Question 5: correct.  Unless there are registry based policy settings in the GPO, then no element of the domain gpo will apply to John.  If there are registry based settings, then those settings remain in the state they were last set to by the GPO.

Question 6:  correct.  Local policies will always apply since they are local to the pc.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.