Preventing Group Policy Workarounds

by Mitch Tulloch [Published on 22 June 2005 / Last Updated on 22 June 2005]

A smart user who has local Administrator or Power Users privileges on their desktop computer may be able to circumvent Group Policy.

A smart user who has local Administrator or Power Users privileges on their desktop computer may be able to circumvent Group Policy. For example, they could write a registry script and use it to remove or overwrite registry-based (Administrative Template) policy settings applied by domain GPOs on their machines.

To prevent this, start by ensuring that users do not have local Administrator or Power Users privileges and are simple Domain Users instead. Unfortunately for certain applications users may require such elevated privileges, so in that case you can try upping the background refresh rate of Group Policy but be aware that this will increase background traffic a bit on your network (though this is usually not significant except over a WAN) and also increase the load on your domain controllers (test this carefully). You can do this using the Group Policy Refresh Interval For Computers policy under Computer Configuration\Administrative Templates\System\Group Policy. Once you do this however, you should also configure the Registry Policy Processing policy under the same location to ensure that registry-based policy settings are processed on the client during background refresh even if Group Policy settings haven't changed.

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .

Latest Contributions

Featured Links