Users who have local admin accounts on workstations can edit the registry and thereby undo many Group Policy settings that may have been applied to their computers. Best practice then would be to not give users local admin privileges on their workstations, but sometimes this is not practical. For example, some third-party line of business software will only install and run properly under admin creds.
So what can a sysadmin do to prevent such users from overriding Group Policy? One thing you can do is to go to the following node in your Group Policy Object:
Computer Configuration \ Administrative Templates \ System \ Group Policy
Then look for any policies that end in “…policy processing” and open these policies and select the checkbox that says “Process even if the Group Policy objects have not changed”. This will *force* these policies to *always* be applied whether or not any settings in the GPO have actually changed or not. That way, for example, if a user edits their registry to change a wireless setting, the next time Group Policy is refreshed in the background any change they made will be undone.
