Solved

Does the "Turn off Local Group Policy objects processing" setting have any effect on Domain Controllers?

Posted on 2010-11-12
4
1,398 Views
Last Modified: 2012-05-10
Greetings -

I have a GPO deployed at the top of my domain that enables the "Turn off Local Group Policy objects processing" setting.  Through some troubleshooting of a problem, I discovered that I had some local policies configured on a Domain Controller that were causing the problem.  However, it dawned on me: If I turned off local policy processing at the top of the domain, why were these settings taking effect at all?

I know the Default Domain Controllers Policy and a number of domain group policy settings are specific to DCs and can *only* be set in the Default Domain Controllers Policy - otherwise they will be ignored.

So my question is... does this setting take effect on DCs?  And if it does, must it be set in the Default Domain Controllers Policy?
0
Comment
Question by:amendala
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34125425
The way the policy settings get applied is Local-site-domain-OU. The policies are cumilative as long as it doesnt conflict. If there is a conflict the closest one to the object will win. That is if there is a policy allowing something at domain level and another policy denying it at OU level then it will be denied. Hope this answers your question. I think its the same way it gets applied on DC's as well.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34130766
Local group policy or multiple local group policy is for single computer & multiple LGPO is new local GPO which is release for Vista & above.

Foremost, Default domain & Default domain controller policy should never be modified, as the default policies contain settings required by DC to run properly.

When any system login to domain,it will get policy from Domain GPO & local GPO will be ignore.
GPO applies at LSDOU,as said by Moon_blue69.

So don't do any setting in local GPO atleast when its domain controller,let it be default, else unexpected result might been seen.

http://technet.microsoft.com/en-us/library/cc766291%28WS.10%29.aspx
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 34149893
moon_blue69: Thank you but I already understand the application order of GPO settings.  It does not answer whether or not the disabling of local policy within a GPO is a setting that is listened to by Domain Controllers.

Awinish: I do not use Local Group Policy in my environment.  Hence why I've deployed the setting that disables local GPO processing on all machines.  My specific question was whether or not that setting takes effect on DCs.

Also, your statement that Default Domain and Default Domain Controllers policies should never be modified is not accurate.  These policies often require modification, even per Microsoft's documentation - especially if you've implemented various System Center products in your enterprise.  Modifying these policies is not a problem, it's changing settings without fully understanding the consequences that is the problem.  Should additional care be taken when making changes to either of these very important policies?  Absolutely.  However, the fact that they are important does not imply they must be left alone.

---

I have spoken with Microsoft Premier regarding this topic and I have confirmed that the setting that turns off local group policy processing does not apply to Domain Controllers regardless of where it is set.  Domain Controllers will always attempt to compile local policy first - similar to all other member servers and clients, however, member servers and clients can have local policy compilation disabled by the policy I mentioned in my question originally.
0
 

Author Closing Comment

by:amendala
ID: 34182477
Answers did not accurately address my specific question about whether or not the setting applied to Domain Controllers or not.  Received confirmed answers from Microsoft Premier.
0

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question