Will group policy configurations applied locally through `gpedit` override domain GPOs until next GPO refresh interval?

Will group policy configurations applied locally through gpedit override domain GPOs until next GPO refresh interval?

I know that Domain GPOs takes precedence over locally defined GPOs (gpedit), since both of these are applied, when the user logs in.

However, will local policy changes through gpedit override domain GPOs until they are refreshed next time?

The refresh rate is controlled through the group policy:

Computer Configuration > Administrative Templates > System > Group Policy: Turn off background refresh of Group Policy

Furthermore, is it possible to permanently disable the automatic refreshing of GPOs? I can only find a setting that disables it until the user logs off.

Answer

The short answer is “No”. The reason for this is due to how the Group Policy order of precedence works. Local policy has the lowest precedence and therefore will be overridden by any settings configured in domain policies applied later.

With that said, anyone with local admin rights can override individual Group Policy settings via the registry. The setting will get put back each time policy processing occurs, but the damage is already done. This is why you must limit who you give local administrator privileges to and audit changes to critical areas of the registry. It’s even possible for non-admin users to override user policy settings.

While it may be possible to disable domain GPO processing, I would not recommend or discuss it here. This puts the domain computer into an unhealthy state and would be extremely irresponsible. Any issues with domain policy should be handled at the domain level.

Attribution
Source : Link , Question Author : Shuzheng , Answer Author : twconnell

Leave a Comment