Cannot disable group policy inheritance from domain
At work, my computer (Windows 10) is part of a local domain.
I added a few local group policies, and after noticing they were not being applied, I ran gpresult /H gp_report.html and it returned:
INFO: The user does not have RSoP data.
After running gpupdate /force I found that the file at \\[domainname.local]\sysvol\[domainname.local]\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini was corrupt because of a ransomware attack a while ago.
For the time being I replaced the file with a clean copy, and after gpupdate /force my policies are working. But I'm wondering whether and how I can disable the domain policies, so that only local policies are applied, while still having my PC connected to the domain.
I installed Remote Server Administration Tools in order to attempt the process outlined here (disable Group Policy object inheritance), but upon launching gpmc.msc I get an error stating:
The specified domain either does not exist or could not be contacted.
I can click "Choose a different domain controller" and two domain controllers are listed, but selecting either of them loads an empty tree.
Also tried Set-GPinheritance -Target "dc=[domainname.local]" -IsBlocked Yes according to this reference but it returns:
Set-GPinheritance : The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B)
[TL;DR] Currently at a loss. I want to disable the inherited group policies while still being connected to the domain. But my attempts have so far failed. Can it be done?
Note: For answers, please assume that any local policy will not work (as if I had not fixed the domain server policies).
Thanks.
3 Answers
You can disable background refresh - Through gpedit.msc, Computer Configuration -> Administrative Templates -> System -> Group Policy. Set Turn off background refresh of Group Policy to Enabled.
Also, you can clear items from the Policies folders under HKCU/HKLM Software\Policies and HKCU/HKLM Software/Microsoft/Windows/CurrentVersion/Policies and set permissions on the key to 'Read' for any accounts listed with greater than that.
John ProvencherYou seem to have another problem, your default domain policy seem broke if your console is empty, you will have to reset your GPO. Got a backup ? (or you are not an domain admin ?)
dcgpofix /ignoreschema /target:Domain
The default domain policy is enabled by default for all computer object, but it set only password option and such.
Blocking the inheritance from an OU is the valid way to do it, so I think you got a corruption in your SYSVOL policy's folder.
yagmoth555I found that passing the -Server parameter to the powershell cmdlet makes it work. However, running Set-GPinheritance -Target "dc=[domainname.local]" -IsBlocked Yes didn't fix my broken local policy issue.
So I took the steps listed below from PowerShell as admin:
(Get-GPInheritance -Target "dc=[domainname],dc=local" -Server "[servername]").GpoLinks | foreach-object {echo $_}
This will return a list like the following:
Take note of the GpoId property. Now run:
Set-GPLink -Guid "[GpoId from previous step]" -Target "dc=[domainname],dc=local" -LinkEnabled No -Server "[servername]"
After that, running gpupdate.exe /force works correctly.
References:
- Set-GPLink and GroupPolicy module (Microsoft Docs)
Marc.2377User contributions licensed under CC BY-SA 3.0