How to prevent the domain group policy from being applied to local system which is put in domain

230490 picture 230490 · Jun 4, 2015 · Viewed 7.3k times · Source

When I try to put my local system in domain. Certain domain group policies gets applied to my local system over-riding my local group policy settings. So how do I go ahead n prevent the domain GPO from being applied to my system?

Answer

Hauke picture Hauke · Jun 5, 2015

If you are not the administrator of the Domain Controller, you can't.

Any GPOs that match either your PC or the domain user in the security filtering of that GPO will be applied to the PC resp. the user account.

Usually there are GPOs that match very broad groups of users/computers that will automatically match any newly added machine. This is e.g. the Authenticated Users group.

Authenticated Users includes every authenticated object to Active Directory, which would include all domain users, groups (defined and part of AD), and computers that have been joined to the domain.

So the only way would be to change the security filtering of the GPOs themselves to exclude your machine. E.g. remove the Authenticated Users group from the security filtering and add a specific security group that only contains a list of all other PCs but the one that should be excluded.

The brute-force way would be to enable the windows firewall and block the connection to the Domain Controller or the ports required for GPO communication. However, this would defeat the object of adding the PC to the domain in the first place.