On Thu, 22 Nov 2007, Ansgar -59cobalt- Wiechers wrote:
Like I said before: they log into the local machine instead of
logging into the domain. Voil, no domain policies applied.
This is absolutely not true and displays a fundamental
misunderstanding of group policy application. As long as the
workstation in question is in a site/domain/OU with computer targetted
GPO settings linked to it, these GPOs will apply to the machine
regardless of how a user logs in.
For example, I've created a Windows Firewall GPO that propagates
restrictive Windows firewall settings to clients. This is a computer
targetted GPO that is applied to security groups composed of
workstation accounts. When a user (including local administrator) logs
in locally to one of the workstations specified in the GPO's
filtering, the policy is applied and local administrator is unable to
modify any Windows firewall settings (their only recourse would be to
remove the workstation from the domain).
Please try this- log in as local administrator to a workstation as
specified above, and run gpresult or rsop and view the results.