LogoLogo
OSDeploy.comTwitterGitHub
  • Overview
  • OSDeploy Home
  • Download
    • Release Notes
    • GitHub
    • LGPO
    • OSDeploy PowerShell Module
  • Docs
    • Deployment
      • ConfigMgr New PC TS Package
      • ConfigMgr New PC TS Unattend.xml
      • ConfigMgr New PC TS Provisioning Package
      • MDT New PC TS
    • Customize
      • Alpha
      • Apps
      • Background
      • LocalPolicy
        • ImportGPO
        • ImportTXT
        • LGPO
        • Import-GPO.ps1
      • RegistryXML
      • Scripts
      • Start
      • Theme
      • Zeta
    • Group Policies
      • Best Practices
        • Edit Local Policy with Reg Keys
      • Active Directory GPO
      • Build a Domain Controller
      • Update ADMX Templates
      • Local vs Domain Policies
      • Import OSDeploy GPOs
      • Edit OSDeploy Branding GPO
    • Provisioning Packages
      • PowerShell Script to PPKG
      • OSConfig to PPKG
    • Registry
      • Group Policy Preferences
      • GPP Registry.xml
      • RegistryXML Files
      • Convert REG to RegistryXML
      • Apply RegistryXML Files
    • How To
      • Theme Customization
Powered by GitBook
On this page
  • Enforcing Policies
  • Registry Group Policy Preferences
  • Workgroup Policies
  • Summary

Was this helpful?

  1. Docs
  2. Group Policies

Local vs Domain Policies

Applying a Domain GPO to a Workstation for OS Customizations is not the same as a Domain GPO that is Enforced. This means that even though you can use a GPO to do the OS Customizations, it is no different than setting a Local Policy. Anyone with Administrative Rights will be able to open GPEDIT.MSC and make the change

Enforcing Policies

If you need to Enforce any of these settings, you must join the computer to a Domain and link the GPO to the Computer or User's OU. This guide will not go into doing this, but if you want to go this route, keep your Enterprise OS GPO's used for customizations separate from your Enforcement.

Registry Group Policy Preferences

Registry Group Policy Preferences are applied by editing the Current User, Local Machine, and Users hives. Additionally, the Default User and Administrator (if applicable) hives are mounted and modified. In this instance, there is nothing preventing these settings from being undone. Just like Enforcing Policies above, if you need Registry modifications Enforced, they must be set in a Domain GPO.

Workgroup Policies

I work in a large Enterprise, and what makes my situation a challenge is that there are instances where we deploy systems that are not joined to a Domain. These are Workgroup Computers.

If all your computers are Domain joined, then you have it easy . . . but if you deploy an OS for Workgroup and Domain, keep your Policies and Preferences for Enterprise OS configured for the Workgroup Computer. Domain settings can be applied from an Active Directory GPO when the Computer logs into the Domain with a Domain User Account.

What this means is that for Workgroup Computers, set your Internet Homepage to the public Corporate Homepage . . . and let your Intranet Homepage be set for Domain Computers. If the Workgroup Computer will be disconnected from your Domain, don't mess with applying WSUS settings, leave things pointing to Windows Update. Don't set CM settings in your Policies, let CM handle this . . . basically if these settings are already being configured by your Domain GPO, there is no need to set these in Enterprise OS.

Summary

To sum it up, the Group Policies that will be used in OSConfig should only be used for OSConfig, and not for Policy Enforcement, just as your current customizations in your Task Sequence are only for customizations during OS Deployment, and not for any other purpose after the OS has been deployed . . . and keep in mind if you deploy computers in Workgroups or not when configuring your settings.

PreviousUpdate ADMX TemplatesNextImport OSDeploy GPOs

Last updated 5 years ago

Was this helpful?