none
Local group policy overrides domain group policy when not connected to LAN

    Pregunta

  • We have at our domain a WSUS server and set the configuration for this service with a domain group policy.

    In the moment we begin to implement the update service with SCCM 2007 R2 Sp2. This system has an internet facing server.

    The actual state is, that all clients has to use the standard WSUS server and not SCCM for updates. This does work fine on all clients insite the LAN. On these domain member computer (all with Windows 7 RTM, SP1, x86 / x64) does the domain group policy override the local, from the SCCM client generated, group policy. This is the estimated result.

    The problem begins, when the domain member computer is not connected to the LAN and has no connection to a domain controller. In case of this, the local group policy is applied to update service and not the domain policy setting. At the technical description for group policies is written " The last domain group policy state is cached and will applied to the computer".

    Why does Windows 7 apply the local group policy setting and not the domain group policy setting? Both group policies have the same settings, but only diffrent values set.

    What must I do to prevent this or where is the problem located?

     

    miércoles, 14 de marzo de 2012 13:07

Todas las respuestas

  •  

    Hi,

    For computers joined to a domain, domain administrators can disable processing Local Group Policy objects on clients running Windows 7 by enabling the "Turn off Local Group Policy objects processing" policy setting in a domain Group Policy object. You can find this setting in:

     Computer Configuration\Administrative Templates\System\Group Policy

    Try to enable this setting for a test.

    Alex Zhao

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Alex Zhao

    TechNet Community Support

    jueves, 15 de marzo de 2012 5:42
    Moderador
  • Hallo,

    I have applied the GPO with the setting. The result was the same.

    I have read all relevant log files from the SCCM and the WindowsUpdate.log. There was two enties, Modify Update location and inform update service about new policy. After this enties waas written to the SCCM log, I have seen, that the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - WuServer was modified to the SCCM update server. A query about the applied GPOs with GPRESULT displays for the WuServer the entry from the domain GPO and not from the SCCM. I guess that the client has directly modified the registry key.

    I have now disabled the SCCM client on the computer, and have done a reboot of the computer (Three times).

    But after all reboot,  the cached domain GPO has not repaired the registry value for WuServer.

    Now I was curious and have changed other domain group policy values ​​in the registry.
    Firewall: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules 

    After a reboot, the modified entries accepted as a valid policy!!!. Windows has not detected the change and has not repaired the entries. The values ​​were corrected only after the machine has had a domain controller connection. 

    jueves, 15 de marzo de 2012 14:52
  • Group policy is marked as successfull and won't re-apply unless the GPO version changes.

    that's why you needed the connection to the domain controller.

    You can try following setting if you want to enforce that

    Computer Configuration\Administrative Templates\System\Group Policy\Security Policy Processing

    Inside this policy, you will check the box labeled “Process even if the Group Policy objects have not changed.”

    http://www.windowsecurity.com/articles/enforcing-gpo-security-settings.html

    jueves, 15 de marzo de 2012 22:40
  •  

    Hi,

    I am just writing to check the status of this thread. Was the information provided in previous reply helpful to you? Do you have any further questions or concerns? Please feel free to let us know.

    Regards,

    Alex Zhao

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Alex Zhao

    TechNet Community Support

    martes, 20 de marzo de 2012 2:43
    Moderador
  • Hallo,

    I have modified the group policy, but the result is the same.

    The settings can be changed and the gpo will reset the settings back to the gpo definition.

    Not while the computer is in normal work, and not when I do a reboot. To solve the importent problem, i have disabled the SCCM update deplyment over the internet facing server. This does not solve the problem, that the gpo will not be applied, if the computer is not connected to the domain network, but for the moment I have solved the problem with the SCCM updates.

    The problem is persistent.

    miércoles, 21 de marzo de 2012 12:07
  • Hi,

    It is a normal behavior that the local group policy settings override the domain group policy settings when the domain member computer is not connected to the corp network.

    To prevent this, please try to disable local group policy processing by modifying/adding the folloiwng registry value:

    key: HKLM\Software\Policies\Microsoft\Windows\System\DisableLGPOProcessing

    Value: 1

    Please try my suggestion and let me know the result. Thanks.

    Denny Zhou


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    jueves, 22 de marzo de 2012 10:21
  • Hi,

    How are things going on your end? Was the suggestion i provided helpful to you? If there is anything i can do for you, please let me know. Thanks.

    Best regards,

    Denny Zhou


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    lunes, 26 de marzo de 2012 15:06
  • I have done a work around to solve the actual issue with the SCCM controled patch management. 'DisableLGPOProcessing' will not work, because SCCM direct overwrites the GPO setting at the registry.
    It remains open only the question:
    Why does Windows 7 not apply the cached GPO settings when the computer has no contact with the domain controller.
    The most users have local administrator rights, therefore the GPO settings should be unchangeable, if the user is outside the LAN.
    martes, 27 de marzo de 2012 12:34
  • I was having trouble with a local Software restriction policy and this worked perfectly and restored the domain policies I needed.
    miércoles, 25 de septiembre de 2013 16:44