N/APosted on - 08/07/2011
Configuring the Group Policy of the local computer and configuring the Group Policy of Active Directory, will these make conflict when user logged in to their account?
I notice that even if the Active Directory Group Policy has been configured, you can still configure the Group Policy of the local computer and still has effect in the computer. So does this mean that Active Directory Group Policy can be bypassed by the Windows Operating System?
I am concerned with the security of my workstation.
Local GPO of computer versus GPO of Active Directory
You can apply local policies and AD Group policies to same computer. It’s okay but whenever there is a conflict Active Directory Group policies (AD GPOs) override local policies. In simple way Active Directory Group Policies win because there is a way that GPOs apply to a computer.
GPOs apply as below:
Local Computer policies
Site Based Policies
Domain Based Group Policies
OU (Organizational Unit) Group Policies
As above in the first local policies will apply, secondly, site based policies and if there is any conflict Site Based Policies will override Local Policies. Thirdly, Active Directory Based Domain Policies will override all above Local and Site Based Policies if there is any conflict. Lastly, OU GPOs will override above all three types of policies if there is any conflict.
If you have Child Organizational Units inside OUs Child OUs will override OU policies.
In a simple way you can remember above order like this, you can also call this as a thumb rule of GPOs.
L – Local, S – Site, D – Domain, OU – Organizational Unit