none
winning local group

    Question

  • during GPO troubleshooting my colleague found bunch of winning LOCAL GPOs as winning (see screenshot).

    Our workstations park is W7. They are deployed from MDT2013. I created last image that was captured from clean Windows 7 Pro VM (installation source MS Volume License ISO).

    Sure that I didn't touch Local GPOs before capturing. It was a virgin W7 install. The guy compared Resultant GPO for computers deployed from previous image and not seeing these winning Local GPOs. So he kind of blames :) my new image...

    I just took a quick look on winning GPO and see that they are actually doing good job from security perspective.

    The question:

    what could be the mistery of these Local GPOs? Were they coming from? Could they be predefined in Domain GPO that configures Local?

    Thanks.

    Unfortunately, cannot insert jpg of 114KB... tried multiple times. It just shows some winning Local GPOs among default domain and other AD GPOs


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis


    • Edited by pob579 Sunday, July 19, 2015 10:40 AM typo
    Thursday, July 16, 2015 1:02 AM

Answers

  • > during GPO troubleshooting my colleague found bunch of winning LOCAL
    > GPOs as winning (see screenshot).
     
    Local GPO settings are only winning as long as there's no domain policy
    configuring the same setting.
     
    > what could be the mistery of these Local GPOs? Were they coming from?
     
    They are residing in \Windows\System32\GroupPolicy.
     
    How they got there? That cannot be answered - did you play around with
    security compliance manager and its Local GPO Tool?
     
    > Could they be predefined in Domain GPO that configures Local?
     
    No.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by pob579 Friday, July 17, 2015 1:02 AM
    Thursday, July 16, 2015 1:06 PM

All replies

  • > during GPO troubleshooting my colleague found bunch of winning LOCAL
    > GPOs as winning (see screenshot).
     
    Local GPO settings are only winning as long as there's no domain policy
    configuring the same setting.
     
    > what could be the mistery of these Local GPOs? Were they coming from?
     
    They are residing in \Windows\System32\GroupPolicy.
     
    How they got there? That cannot be answered - did you play around with
    security compliance manager and its Local GPO Tool?
     
    > Could they be predefined in Domain GPO that configures Local?
     
    No.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by pob579 Friday, July 17, 2015 1:02 AM
    Thursday, July 16, 2015 1:06 PM
  • I got a response from one of GPOs forum on web that mentions SYSPREP:

    "Did you Sysprep the image BEFORE deploying?  I have something in the back of my mind that Sysprep reverts GPOs back to OOB Experience.  Just can't remember for certain about it though. "

    Sure I didn't configure tens of Local GPOs on source machine before capturing :).

    These GPOs not appear on machines deployed from MDT2012.

    Could it be SYSPREP of MDT2013 that does the nasty job?

    >did you play around with security compliance manager and its Local GPO Tool?

    No. I captured clean fully patched VM.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Thursday, July 16, 2015 2:28 PM
  • Martin,

    thanks for the answers... you clarified my suspicion points.

    So coming closer, that it could be MDT related stuff I posted the issue on MDT forum and got some answers.

    If you interested you can take a look here:

    https://social.technet.microsoft.com/Forums/en-US/d6a511a0-8df5-4e01-8e24-28cf000f1ec2/local-gpos-configured-in-deployedcaptured-image-mdt2013?forum=mdt

    Thanks.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Friday, July 17, 2015 1:01 AM