|
Posted by Steve Clark [MSFT] on September 29, 2005, 6:13 pm
If you were Registered and logged in, you could reply and use other advanced thread options
The order of precedence for Group Policy is:
Local - Site - Domain - OU
They are applied in that order, last write wins. So, site policies trump
Local, and Domain trumps site, and so on.
The exception to this is the use of "Persistent policy" for the Local policy
which can be used for IPsec to secure a machine even if it cannot download
the GPO from the Active Directory.
From the Windows 2003 Tech Center:
"This policy adds to or overrides the local or Active Directory policy, and
remains in effect regardless of whether other policies are applied or not.
Persistent IPSec policies enhance security by providing a secure transition
from computer startup to IPsec policy enforcement. Persistent policy also
provides backup security in the event of an IPSec policy corruption, or if
errors occur during the application of local or domain-based IPSec policy.
To configure persistent policies, you must use the netsh ipsec static set
store location=persistent command.
When designing persistent IPSec policy, it is important to consider the
potential impact of persistent policy on remote management. If local or
domain-based IPSec policy is not applied and the persistent IPSec policy is
the only policy that is applied, attempts to remotely diagnose an issue
might be blocked by the persistent IPSec policy. To allow for remote
management in case troubleshooting is required, it is recommended that you
create appropriate permit filters when configuring persistent IPSec policy."
Hope that helps.
> On a workstation that is attached to my domain will the security policy
> that
> the domain supplies override any local policies? Can a local workstation
> policy trump the domain policy if it is more restrictive? Thanks in
> advance
> for any help and information that you caan provide.
| 
XML site map