Apply domain controller GPO settings


Can somebody tell me why the local GPO settings are not overridden by the default domain controller policy? I thought the order was:


Here is the case: on a Windows 8 workstation the user can change the time zone. I would like to prevent this. In the local GPO in computer configuration / policies / windows settings / security settings / local policies / user rights assignment the following user(groups) are allowed to change the timezone: administrators, Local Service and Users.

In the domain controllers policy, I have changed it from not defined to only administrators and Local Service. Users can still change it after restarts and gpupdate /force.
Anybody any ideas?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
The domain controllors policy affects the DCs so it is not applied to the user workstations.

You can create a policy that restricts them and link it to where the workstations are.  Definitely test it before deploying to your full domain.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SandeshdubeySenior Server EngineerCommented:
You need to create new GPO template and apply the policy to workstation computers OU or define the GPO in default domain policy template.If you configure the policy in default domain policy it will applied to all workstation in domain.

It seems that user in question is added to local admin group hence able to modify the time setting.Normal user cannot edit the time setting.

As mike mentioned policy defined in Default domain controller template will only be applied to domain controllers.
P-R-WAuthor Commented:
Thanks for that, thought that certain settings (like the User Rights assignment) from the Domain controllers would go out to the PC's as well. They are not defined in the default domain policy ....
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.