Now that you are able to override the domain Group Policy locally, you might have found that it occasionally gets reset, especially after a reboot. Windows can apparently detect when the policy cache is out of sync with the domain and will attempt to resync it, destroying local customizations.
Fortunately, this can be disabled. We can do so by revoking the system's privilege to modify those registry keys. Fire up RegEdit as admin and go to:
????\Software\Microsoft\Windows\CurrentVersion\Policies
The "????" should be HKEY_LOCAL_MACHINE if the annoying Group Policy entries are Computer Configuration or HKEY_CURRENT_USER if the offending policies are in User Configuration.
Right-click the key in the left pane and choose Permissions. Notice that SYSTEM is allowed Full Control. Uncheck that box in the bottom pane, but make sure SYSTEM has Read access. If you deny read access to the SYSTEM (or remove its DACE), then it won't be able to even check whether you can do things and stuff will blow up.
Then, open up the Owner tab under Advanced and set the owner to the local Administrators group. This ensures that [1] any Group Policy-deployed script can't undo our changes and [2] you'll be able to more easily edit the settings if you choose to change the permissions again.
OK out of all the dialogs and close RegEdit. Congratulations, you are now invincible to Group Policy.
No comments:
Post a Comment