Local GPO settings on a domain computer

Hello!

As per https://technet.microsoft.com/en-us/library/cc785665%28v=ws.10%29.aspx

1) The order of policy application is: Local, Site, Domain, OU

2) "This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)"

It means if there're no settings in the site/domain/ou GPOs my local GPO settings must be the effective ones on a given computer. For example, I turn on Object Access in Local GPO while Default Domain Policy GPO has all Audit settings set to "Not defined":

...but the resulting policy is still "Not defined" (of course I do gpupdate /force). Why?

Thank you in advance,

Michael

July 6th, 2015 9:51am

Hi Michael,

Just to be sure:
- Are the computer settings enabled in the GPO?
- Is the computer in an OU to which the GPO is linked?
- Block Inheritance isn't enabled on the OU in which the computer resides ?
- Are there one or more DC's? Because the GPO needs to be synched.


Regards,

Matthijs

Free Windows Admin Tool Kit Click here and download it now
July 6th, 2015 10:34am

Hi M.ter Horst,

1) Are the computer settings enabled in the GPO? - Yes

2) Is the computer in an OU to which the GPO is linked? - No, just Default Domain Policy applies.

3) Block Inheritance isn't enabled on the OU in which the computer resides ? - No

4) Are there one or more DC's? Because the GPO needs to be synched. - I see this behaviour in the two separate networks: the production (Win2008R2, two DCs) and in the test network (WinServer 2012R2, one DC).

The most weird thing: on SOME computers enabling, for example, Object Access auditing in Local GPO leads to auditing is working as expected in spite of the Resulting Policy showing "Not defined", whilst on others auditing really does NOT work:

Regards,

Michael

  • Edited by MF47 Monday, July 06, 2015 10:51 AM
July 6th, 2015 10:50am

Please try to run this command for both working and non-working computers and see if Object Access policy is applied successfully or not:
 
Auditpol /get /category:*
 

A.B

Free Windows Admin Tool Kit Click here and download it now
July 7th, 2015 11:32pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics