Preventing Group Policy Workarounds

by Mitch Tulloch [Published on 22 June 2005 / Last Updated on 22 June 2005]

A smart user who has local Administrator or Power Users privileges on their desktop computer may be able to circumvent Group Policy.

A smart user who has local Administrator or Power Users privileges on their desktop computer may be able to circumvent Group Policy. For example, they could write a registry script and use it to remove or overwrite registry-based (Administrative Template) policy settings applied by domain GPOs on their machines.

To prevent this, start by ensuring that users do not have local Administrator or Power Users privileges and are simple Domain Users instead. Unfortunately for certain applications users may require such elevated privileges, so in that case you can try upping the background refresh rate of Group Policy but be aware that this will increase background traffic a bit on your network (though this is usually not significant except over a WAN) and also increase the load on your domain controllers (test this carefully). You can do this using the Group Policy Refresh Interval For Computers policy under Computer Configuration\Administrative Templates\System\Group Policy. Once you do this however, you should also configure the Registry Policy Processing policy under the same location to ensure that registry-based policy settings are processed on the client during background refresh even if Group Policy settings haven't changed.

See Also

Featured Links