Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows XP
    - Admin Tips
      - Security
        Group Policy and Laptops

Section(s): Security
Published on Jul 07, 2005.
Last Modified on Jul 07, 2005.
Last Modified by MitchTulloch.
Rated 2.1 out of 5 based on 7 votes.

Common misconception concerning laptops and Group Policy.

Something that is not always understood about Group Policy is this. Say a user has a laptop and uses it to connect remotely to the corporate LAN. Depending on how the remote connection is configured, Group Policy usually is processed to lock down and secure certain functionality on the machine.

Now the user logs off and disconnects from the corporate network and uses the machine as a standalone computer using their locally cached user profile. Are the Group Policy settings that were previously applied still in force? Yes, and they will continue to be enforced until the user connects to the network again and logs on and policy is refreshed.

Of course, if the laptop user has local Administrator privileges on thier machine, they can log on using the Administrator account and overwrite any registry-based settings that were configured by Group Policy. So the moral is, don't give users Administrator privileges without some absolutely compelling reason to do so!

About MitchTulloch

Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is the book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. Mitch was also the author of Introducing Windows Server 2008 and technical project lead for the Microsoft Office Communications Server 2007 Resource Kit, both books also from Microsoft Press. For more information on these and other books by Mitch, see www.mtit.com .