none
local user GPO vs Domain GPO

    Question

  • hello all

    to a computer which is on a domain but has a local restricted user i modified the local user group policy and appplied the following restrictions:

    1) desktop interface 

    2) taskbar limitations 

    3) specif program to start up (internet explorer) 

    my question is : 
    1) since the computer is in the domain the group policies from the domain will be applied and my local user will be overwritten taking in consideration i edited only the user local settings and not the computer? 
    2) what about when the domain gpo pushes internet explorer updates and other program updates like java will they be applied ? How can i restrict those? Can i do it a the local user GPO level?

    thank you in advance for your answers.

    Saturday, April 04, 2015 1:20 PM

Answers

  • Hello,

    • ad 1) if your users are log on to computer using local accounts, then doesn't matter what is in domain user policy, because on local account will be applied only local user group policy. From domain will be applied only computer policy, which overwrites your local computer policy.
    • ad 2) from first paragraph is clear that if updates are configured at domain users policy, then they never will be applied, but if updates are deployed from computer policy, you must configure this domain policy, if you don't want update IE, etc., because local computer policy will be overwritten by domain computer policy. 

    If your users are log on to computer using domain accounts, then domain policy overwrite any local users policy. 

    For more about Group Policy precedence read this Group Policy processing and precedence

    Hope this helps.

    Regards,

    thennet

    Saturday, April 04, 2015 8:05 PM
  • all the local policies (user & computer) are overwritten from the domain policy if i enter with the domain user correct? but if i enter with the local restricted user then the local user policy is used and not the domain.

    Yes, your understanding is correct. 

    the question which rises is which computer policy is used when i enter to first with the domain user and also with the "switch user" ability of windows 7 i enter also with the local restricted user?  I think my question is answered by your points above but i want to be sure.

    In both of this cases is winner computer policy from Domain. If is not in Domain defined computer policy, then is used only Local computer policy.

    You're welcome.

    Best Regards,

    thennet


    Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable. This helps the community, keeps the forums tidy, and recognises useful contributions. Thank you!



    • Edited by thennet Sunday, April 05, 2015 5:44 PM
    • Marked as answer by Kostas Koulis Monday, April 06, 2015 3:47 AM
    Sunday, April 05, 2015 5:41 PM

All replies

  • Hello,

    • ad 1) if your users are log on to computer using local accounts, then doesn't matter what is in domain user policy, because on local account will be applied only local user group policy. From domain will be applied only computer policy, which overwrites your local computer policy.
    • ad 2) from first paragraph is clear that if updates are configured at domain users policy, then they never will be applied, but if updates are deployed from computer policy, you must configure this domain policy, if you don't want update IE, etc., because local computer policy will be overwritten by domain computer policy. 

    If your users are log on to computer using domain accounts, then domain policy overwrite any local users policy. 

    For more about Group Policy precedence read this Group Policy processing and precedence

    Hope this helps.

    Regards,

    thennet

    Saturday, April 04, 2015 8:05 PM
  • Hello Thennet and thank you for your answer.

    so from your email what i understood is that:

    all the local policies (user & computer) are overwritten from the domain policy if i enter with the domain user correct? but if i enter with the local restricted user then the local user policy is used and not the domain.

    the question which rises is which computer policy is used when i enter to first with the domain user and also with the "switch user" ability of windows 7 i enter also with the local restricted user?  I think my question is answered by your points above but i want to be sure.

    thank you again.

    Sunday, April 05, 2015 3:24 PM
  • all the local policies (user & computer) are overwritten from the domain policy if i enter with the domain user correct? but if i enter with the local restricted user then the local user policy is used and not the domain.

    Yes, your understanding is correct. 

    the question which rises is which computer policy is used when i enter to first with the domain user and also with the "switch user" ability of windows 7 i enter also with the local restricted user?  I think my question is answered by your points above but i want to be sure.

    In both of this cases is winner computer policy from Domain. If is not in Domain defined computer policy, then is used only Local computer policy.

    You're welcome.

    Best Regards,

    thennet


    Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable. This helps the community, keeps the forums tidy, and recognises useful contributions. Thank you!



    • Edited by thennet Sunday, April 05, 2015 5:44 PM
    • Marked as answer by Kostas Koulis Monday, April 06, 2015 3:47 AM
    Sunday, April 05, 2015 5:41 PM
  • thank you
    Monday, April 06, 2015 3:47 AM