[THIN] Re: GPO Debate

  • From: Berny Stapleton <berny@xxxxxxxxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Sun, 1 Feb 2009 21:11:33 +0000

The settings will be applied to the machine as the netlogon service starts
and the machine connects to the domain. Those policies are still applied to
the machine, and override the local policies.

Take a look at a setting on a machine and then set a domain policy, you will
see the icon change, so that you know a domain policy has affected it.

Unplug the cable and refresh. Reboot even, see if the icon changes. I don't
have my test environment in front of me, but I am pretty sure to say that it
doesn't get taken away until the machine leaves the domain, or it checks
with a domain controller and has it's setting replaced or taken away.

Berny

2009/2/1 Greg Reese <gareese@xxxxxxxxx>

> I admit that as I have been in this career for over 15 years, there may be
> some things that I still don't understand, or worse, some things that I
> don't understand as well as I think i do.  But keeping an open mind and
> being willing to learn something from everyone I meet has served me pretty
> well.
>
> currently, I am having a debate over  GPO use with a colleague  (for those
> of you in government work, think "IA asshole").
>
> anyway, the debate is that setting a GPO at the domain or OU level does not
> properly protect a server because as soon as the the server is unplugged
> from the network, the settings disappear leaving the server in an
> unprotected state.  So this person nwants us to make all adjustments by hand
> with local policies.  As much as my gut tells me this is wrong, I really
> don't have anything to back it up with.
>
> I say the settings will stay applied in the absence of the rest of the
> domain structure or servers being present.  But the more I thnk about it, I
> really don't know how it really works.  I am going to setup a test next week
> but figured it was worth throwing out to all of you.
>
> Thanks!
>
> Greg
>

Other related posts: