GPUPDATE behavior with local user

yzgulec 1 Reputation point
2020-12-21T17:08:03.51+00:00

I tried GPUPDATE /FORCE with local admin user on a domain-joined computer and I was expecting that neither computer policy nor user policy to be updated.

But when I tried GPUPDATE command, both policies have been updated successfully. My question is how computer & user policy updates are possible with a local account which does not exist as a domain user. How can local user get domain policies via GPUPDATE?

Thanks.

50095-qstn.png

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,972 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Sean Liming 4,511 Reputation points
    2020-12-21T17:29:29.54+00:00
    0 comments No comments

  2. Fan Fan 15,306 Reputation points Microsoft Vendor
    2020-12-22T03:15:10.3+00:00

    Hi,

    First of all , let confirm the difference between the gpupdate and gpupdate /force
    When you run the gpupdate command without parameters, only new and changed user and computer policy settings are applied.
    GPUpdate /force command reapplies all the policies—both new and old (regardless of whether they have been changed).

    When there are changes are made from the domain and local ,both the command gpupdate and gpupdate /force with update the policies.
    But the local administrator can only get the user policy for local administrator itself . Also all the computer policies deployed to the client.

    Think that when you logon to the clients as a domain user and run the command gpupdate and gpupdate /force, gpresult /h REPORT.HTML . You can only get the user policy for itself ,but can't get the computer policies.
    Only when you run the cmd as administrator you can get the computer settings both from the local policies and the domain policies.

    Best Regards,

    0 comments No comments

  3. yzgulec 1 Reputation point
    2020-12-22T12:09:08.917+00:00

    Thanks for the answers but my question is: How can a local user get group policies from a domain? As its name implies it is a "local" user. So group policies applied to users in a domain should not be applied to a "local" user.

    I understand the computer policies part (computer is domain joined) and it is ok.

    What am I missing here?

    Thanks.


  4. Hannah Xiong 6,251 Reputation points
    2020-12-29T05:55:58.067+00:00

    Hello,

    Thank you so much for your kindly reply.

    Domain based Group Policy does not apply to local users. Local Group Policy applies to local users.

    When trying gpupdate /force with local admin account on a domain-joined computer, it will show that both policies have been updated successfully the same as you mentioned.

    51818-111.png

    51819-112.png

    We are wondering why we are expecting to have error like "Error No user policy applied" or something else.

    To view all the policies applied to the user account you’re currently logged in with, we would use the following command:

    gpresult /Scope User /v

    51856-1123.png

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments