You can set Group Policy both local and domain. Here is a previous answer: https://social.technet.microsoft.com/Forums/lync/en-US/964f17e7-f9c9-4ed3-83bb-59d60cb03688/local-policies-vs-group-policies-will-it-make-conflict-
GPUPDATE behavior with local user
I tried GPUPDATE /FORCE with local admin user on a domain-joined computer and I was expecting that neither computer policy nor user policy to be updated.
But when I tried GPUPDATE command, both policies have been updated successfully. My question is how computer & user policy updates are possible with a local account which does not exist as a domain user. How can local user get domain policies via GPUPDATE?
Thanks.
4 answers
Sort by: Most helpful
-
-
Fan Fan 15,361 Reputation points Microsoft Vendor
2020-12-22T03:15:10.3+00:00 Hi,
First of all , let confirm the difference between the gpupdate and gpupdate /force
When you run the gpupdate command without parameters, only new and changed user and computer policy settings are applied.
GPUpdate /force command reapplies all the policies—both new and old (regardless of whether they have been changed).When there are changes are made from the domain and local ,both the command gpupdate and gpupdate /force with update the policies.
But the local administrator can only get the user policy for local administrator itself . Also all the computer policies deployed to the client.Think that when you logon to the clients as a domain user and run the command gpupdate and gpupdate /force, gpresult /h REPORT.HTML . You can only get the user policy for itself ,but can't get the computer policies.
Only when you run the cmd as administrator you can get the computer settings both from the local policies and the domain policies.Best Regards,
-
yzgulec 1 Reputation point
2020-12-22T12:09:08.917+00:00 Thanks for the answers but my question is: How can a local user get group policies from a domain? As its name implies it is a "local" user. So group policies applied to users in a domain should not be applied to a "local" user.
I understand the computer policies part (computer is domain joined) and it is ok.
What am I missing here?
Thanks.
-
Hannah Xiong 6,276 Reputation points
2020-12-29T05:55:58.067+00:00 Hello,
Thank you so much for your kindly reply.
Domain based Group Policy does not apply to local users. Local Group Policy applies to local users.
When trying gpupdate /force with local admin account on a domain-joined computer, it will show that both policies have been updated successfully the same as you mentioned.
We are wondering why we are expecting to have error like "Error No user policy applied" or something else.
To view all the policies applied to the user account you’re currently logged in with, we would use the following command:
gpresult /Scope User /v
For any question, please feel free to contact us.
Best regards,
Hannah Xiong============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.