asked on
Does the "Turn off Local Group Policy objects processing" setting have any effect on Domain Controllers?
Greetings -
I have a GPO deployed at the top of my domain that enables the "Turn off Local Group Policy objects processing" setting. Through some troubleshooting of a problem, I discovered that I had some local policies configured on a Domain Controller that were causing the problem. However, it dawned on me: If I turned off local policy processing at the top of the domain, why were these settings taking effect at all?
I know the Default Domain Controllers Policy and a number of domain group policy settings are specific to DCs and can *only* be set in the Default Domain Controllers Policy - otherwise they will be ignored.
So my question is... does this setting take effect on DCs? And if it does, must it be set in the Default Domain Controllers Policy?
I have a GPO deployed at the top of my domain that enables the "Turn off Local Group Policy objects processing" setting. Through some troubleshooting of a problem, I discovered that I had some local policies configured on a Domain Controller that were causing the problem. However, it dawned on me: If I turned off local policy processing at the top of the domain, why were these settings taking effect at all?
I know the Default Domain Controllers Policy and a number of domain group policy settings are specific to DCs and can *only* be set in the Default Domain Controllers Policy - otherwise they will be ignored.
So my question is... does this setting take effect on DCs? And if it does, must it be set in the Default Domain Controllers Policy?
Active DirectoryWindows Server 2008
Last Comment
amendala
The way the policy settings get applied is Local-site-domain-OU. The policies are cumilative as long as it doesnt conflict. If there is a conflict the closest one to the object will win. That is if there is a policy allowing something at domain level and another policy denying it at OU level then it will be denied. Hope this answers your question. I think its the same way it gets applied on DC's as well.
Local group policy or multiple local group policy is for single computer & multiple LGPO is new local GPO which is release for Vista & above.
Foremost, Default domain & Default domain controller policy should never be modified, as the default policies contain settings required by DC to run properly.
When any system login to domain,it will get policy from Domain GPO & local GPO will be ignore.
GPO applies at LSDOU,as said by Moon_blue69.
So don't do any setting in local GPO atleast when its domain controller,let it be default, else unexpected result might been seen.
http://technet.microsoft.com/en-us/library/cc766291%28WS.10%29.aspx
Foremost, Default domain & Default domain controller policy should never be modified, as the default policies contain settings required by DC to run properly.
When any system login to domain,it will get policy from Domain GPO & local GPO will be ignore.
GPO applies at LSDOU,as said by Moon_blue69.
So don't do any setting in local GPO atleast when its domain controller,let it be default, else unexpected result might been seen.
http://technet.microsoft.com/en-us/library/cc766291%28WS.10%29.aspx
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Answers did not accurately address my specific question about whether or not the setting applied to Domain Controllers or not. Received confirmed answers from Microsoft Premier.