Group Policy is the administrator’s friend as it lets you lock down security, desktop and user settings on user’s machines and for user accounts. Unfortuantely in some scenarios admins grant desktop users local admin privileges on their machines, either due to application compatibility issues or for specific power needs. And being a local admin on your machine means you can undo many Group Policy settings targeting your machine simply by editing the registry directly.
How can you prevent local admin users from doing this? You can’t actually, but you can force Group Policy settings to be reapplied to target computers even when the actual settings within a GPO haven’t changed. To do this, open the following policy setting in your GPO:
Computer Configuration \ Administrative Templates \ System \ Group Policy \ Registry Policy Processing
Enable this policy setting and select the checkbox labeled “Process even if the Group Policy objects have not changed”. What this will do is automatically re-apply the policy to the targeted computer during background refresh even though the GPO setting itself hasn’t changed. This means that any registry changes to policy that the local user has made will get undone during background refresh, and hopefully if this happens frequently enough the user will get frustrated and stop trying to circumvent policy.
This solution isn’t perfect, so it should be augemented by mandating in your written security policy that users are not allowed to undo policy settings on their machine, even temporarily. In fact, the foundation for true network security is not technological setttings like these but a clear, comprehensive written security policy that is fairly but consistently enforced. That’s because security is fundamentally a human problem, not a machine one.
MVP Windows Server