Is it possible to enforce local GPO over the domain?

Question

I want to enforce local GPO settings on specific servers so that the domain GPO does not overwrite them. These systems were hardened specifically, but due to way too many issues to list, we cannot change the OU they are in, and cannot change the domain GPO at this time.

Is there any way to ensure that the changes made to the local GPO are not overwritten?

group policy

Is there any way to ensure that the changes made to the local GPO are not overwritten?

strange walker · Answer

Create new group in AD
Add those servers to newly created group
In security tab of domain GPO set read permissions to "deny" for newly created group

TheFiddlerWins · Answer

Yes, you can set the policies in a Domain GPO and make it enforced. Then use GPO masking - add all the servers in question to a group & only allow that group read access to the new GPO.

This assumes they are all Computer settings, if you need User settings to get applied you may want to look at using a loopback.

Is it possible to enforce local GPO over the domain?

2 Answers

Add your own answers!

Ask a Question