Does domain group policy affect machine and user if user logging locally?

4.4k views Asked by At

I have read that if user logging on locally (with local user account) the domain GPO will not process. Is it true?

2

There are 2 answers

0
Hauke On

A GPO has a part for the computer and a part for the user that matches the scope in the security filtering of the GPO and is linked to the relevant OU. So if the computer is actually connected to the domain, it will apply all matching GPOs no matter what user is logged in, even for local users.

Hence, if the computer is part of the domain and the user is not (e.g. local user), the computer policies still will be applied and the user policies will not.

So if you want to not apply both policies, you need to use a local user AND remove the computer from the domain (e.g. via a local admin) and for example put it to a local workgroup instead.

The meaning of computer policies is just that: centrally administered settings for a specific machine that cannot be influenced by any user.

0
sip_admin On

I know this is like 6 years old but for anyone else that ends up here, in my experience this is only true if loop back processing is enabled (computer > policies > system > group policy > Configure user Group Policy loopback processing mode > Enabled [merge])

per this post on reddit: https://www.reddit.com/r/sysadmin/comments/2f9tpf/question_does_signing_in_as_a_local_admin_bypass/ck7jvzx?utm_source=share&utm_medium=web2x

without loopback my computer GPOs do not apply. With it, my computer gpo applies even when local users log in