Announcement

Collapse
No announcement yet.

GPO vs Local Policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO vs Local Policy

    I have a windows xp machine that the local user (who is a local admin) set the desktop wallpaper via gpedit.msc. The setting was gpedit.msc then User Config/Administrative Templates/Desktop/Active Directory/Active Desktop Wallpaper Enabled and set to a standard windows picture (Tulips.jpg) so no big deal.

    HOWEVER, when I log in as a local admin I have a domain level GPO that sets the background/wallpaper on my login to BGInfo so that I can see certain information about the computer, etc.

    When I log in on this machine (and I have duplicated this on other machines) the local policy OVERRIDES the domain policy, even if the domain policy is set to Enforced (No Override).

    Can anyone give me an idea as to why this is? This really bothers me since it looks as if the local policy is given precedent to the domain group policy, even though I was taught and everything that I have read says otherwise. Anyone? I am a little mind boggled at this.

    Thanks!
    Two things:
    1) If I wrote something wrong please please please let me know. I want to know ESPECIALLY if I am wrong.
    2) I have a tendency to write things that are misconstrued as being agressive or not so pleasant. That is not my intent.

  • #2
    Re: GPO vs Local Policy

    Strange one. What does gpresult /v gpo.txt show you or RsOP in logging mode using GPMC?

    Comment


    • #3
      Re: GPO vs Local Policy

      Try researching the option of 'loopback processing' in GPOs. Basically what happens is: normally, a policy that's applied first (local) will have it's settings overwritten by a higher policy from the domain tree (site, then domain, then the levels of OU down to the object's location.) With loopback processing, after all that processing is done, a local policy can be re-enforced and either replacing any/all previous settings or merging with the previous settings.

      So if a local policy has loopback in place and that local policy sets the desktop, once it's overwritten by the normal enforcement, as a final step the loopback takes over and reapplies the specified local setting to reset the desktop per local.

      We use loopback to govern keyboard/screen saver timeouts in our system: default domain policy is a short-time lockout, but loopback settings in classrooms are longer-period lockouts to allow teachers to walk around the room during sessions. Such policy has to be set on a per-machine basis in cases like this, but it sounds like your scenario.
      *RicklesP*
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **

      Comment


      • #4
        Re: GPO vs Local Policy

        Virtual,
        I am posting the txt file for the gpresult /V.

        The following settings are applied to the local policy of the computer. The system adm was loaded on the local policy and the following local policy is set: User Config/Administrative Templates/Desktop/Active Desktop/Active Desktop Wallpaper is enabled and set to Tulips.jpg (windows standard image).

        On the domain, set at the domain root level AND on the container that has the user account we have a domain admin account which has the following ENFORCED (relevant) policy set: User Configuration/Policies/Windows Settings/Scripts/Logon/bginfo.bat

        The bginfo.bat script runs when the computer is logged in. BGinfo initially displays correct information and then the background changes to Tulips.jpg.

        ALSO There is the following ENFORCED and loopedback domain group policy in place on the container that houses the computer accounts: User Configuration/Policies/Administrative Templates/Desktop/Desktop/Desktop Wallpaper/Enabled and set to a .jpg on a network share which is just a black square for a black background AND User Configuration/Policies/Administrative Templates/Desktop/Desktop/Prohibit Changes/Enabled.

        When a normal user logs into this machine the screen turns black for 5-10 seconds and then the now dreaded Tulips appear.
        When the domain admin account listed above logs in, the screen goes to the BGInfo for 5-10 seconds and then the now dreaded Tulips appear.

        I am completely confused as to how this works and have duplicated it on multiple client machines.

        The gpo.txt file is for the domain admin account which runs BGInfo.

        One thing I would like to know. Is this duplicatable outside our domain? i.e. Can someone set this up and duplicate it? This may be indicative of a problem on our domain, or possibly it is just a fluke of Windows (however we all know that doesn't happen *nudge nudge wink wink*). I am able to duplicate this at a 100% rate on our domain.

        Thanks for the help guys!
        Attached Files
        Last edited by Draenok; 5th April 2012, 15:34.
        Two things:
        1) If I wrote something wrong please please please let me know. I want to know ESPECIALLY if I am wrong.
        2) I have a tendency to write things that are misconstrued as being agressive or not so pleasant. That is not my intent.

        Comment

        Working...
        X