Sunday, February 1, 2009

[THIN] Re: GPO Debate

The settings will be applied to the machine as the netlogon service starts and the machine connects to the domain. Those policies are still applied to the machine, and override the local policies.

Take a look at a setting on a machine and then set a domain policy, you will see the icon change, so that you know a domain policy has affected it.

Unplug the cable and refresh. Reboot even, see if the icon changes. I don't have my test environment in front of me, but I am pretty sure to say that it doesn't get taken away until the machine leaves the domain, or it checks with a domain controller and has it's setting replaced or taken away.

Berny

2009/2/1 Greg Reese <gareese@gmail.com>
I admit that as I have been in this career for over 15 years, there may be some things that I still don't understand, or worse, some things that I don't understand as well as I think i do.  But keeping an open mind and being willing to learn something from everyone I meet has served me pretty well.

currently, I am having a debate over  GPO use with a colleague  (for those of you in government work, think "IA asshole").

anyway, the debate is that setting a GPO at the domain or OU level does not properly protect a server because as soon as the the server is unplugged from the network, the settings disappear leaving the server in an unprotected state.  So this person nwants us to make all adjustments by hand with local policies.  As much as my gut tells me this is wrong, I really don't have anything to back it up with.

I say the settings will stay applied in the absence of the rest of the domain structure or servers being present.  But the more I thnk about it, I really don't know how it really works.  I am going to setup a test next week but figured it was worth throwing out to all of you.

Thanks!

Greg

No comments: