From: Stefan Kanthak [mailto:stefan.kanthak () nexgo de]
Sent: Friday, 10 December, 2010 17:12
"George Carlson" <gcarlson () vccs edu> wrote:
Your objections are mostly true in a normal sense.
However, it is not true when Group Policy is taken into account.
Group Policies need an AD. Cached credentials are only used locally,
for domain accounts, when the computer can't connect to the AD.
Group Policies differentiate between local and Domain administrators
Local administrators don't authenticate against an AD, they
authenticate against the local SAM. No GPOs there!
And: a local administrator can override ANY policy, even exempt the
computer completely from processing Group Policies.