Block AD Group Policy

  • Thread starter Thread starter Wayne
  • Start date Start date
W

Wayne

I wonder if there is a way to block the AD group policy on
the client so that the client registry settings won't be
constantly modified.

Thank you for your help!
 
Wayne-

I'm not sure I understand what you're trying to do. You would need to filter
the client on the GP's security poliy (deny apply rights) to prevent it from
applying GP settings.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com
 
One sollution is to associate an 'Admin' policy, that opens up any restrictions that normal 'user' policies enforce, to the user account you use or the Machine in question?

Another more crude sollution is to create a local user group, modify the permissions to '%SystemRoot%\System32\GroupPolicy\' directory to 'Deny' access for this user group. Add any user accounts to this group that you don't want policies to apply to

PS. There is probably a much better sollution but hey its a start...
 
Wayne said:
I wonder if there is a way to block the AD group policy on
the client so that the client registry settings won't be
constantly modified.
Click to expand...

With Group Policy, all changes to the client registry are transitive,
in memory only. When the user logs off and/or shuts down, the client
registry reverts back to its original form.

You can configure an OU to Block Policy Inheritance by using the
check box on the container's Group Policy properties tab. This will
block Group Policy settings from GPOs linked to the OU's parents.

You also could set up User Group Policy Loopback Processing Mode
which can be set up to replace the user settings usually given
to the user with the user settings defined in the computer's GPOs.

--
Matt Hickman
The simple life is all right for a few days vacation. But
day in and day out it's just so much back breaking drudgery.
Romantic? Hell, man, there's no time to be romantic about
it, and damned little incentive.
- Robert A. Heinlein (1907-1988)
_Beyond this Horizon_ (c. 1942)
 
I wonder if there is a way to block the AD group policy on
With Group Policy, all changes to the client registry are transitive,
in memory only.
Click to expand...

This is not the case. Different extensions apply/remove their settings
however they see fit - registry or otherwise. The ADM Templates extension
sets registry settings in the registry - nothing unique about the settings.
When the user logs off and/or shuts down, the client
registry reverts back to its original form.
Click to expand...

It may appear this way, but no Group Policy is processed at logoff or
shutdown. It's during a policy refresh that changes are made by various
extensions, including ADM Templates removal of its previously set policies.
You can configure an OU to Block Policy Inheritance by using the
check box on the container's Group Policy properties tab. This will
block Group Policy settings from GPOs linked to the OU's parents.
Click to expand...

Yes, but Local GPO cannot be set up to block network policy.
You also could set up User Group Policy Loopback Processing Mode
which can be set up to replace the user settings usually given
to the user with the user settings defined in the computer's GPOs.
Click to expand...

I'm not sure this would achieve the desired results.

To selectively stop Group Policy client-side processing, deregister the
appropriate client side extension (CSE) in the following location (you might
want to back it up first ;-):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions

Regards,

Eric Voskuil
Policy Maker
http://www.autoprof.com/policy
 
Back
Top