34

I am trying to provision a few special case laptops. I would like to create a local guest account. That's fine but when I try to create it I prompted that my guest password does not meet the complexity requirements.

I tried editing the local security policy to change the complexity but this is greyed out. Is it possible to override domain policy with local?

Yes, I know I can chose a longer password but that is not the point. I want to know how to override domain policy in case I need to in the future.

hkkhkhhk
  • 343
  • 1
  • 3
  • 4
  • Does this answer your question? [How can I override group policy using a local administrator account?](https://serverfault.com/questions/65011/how-can-i-override-group-policy-using-a-local-administrator-account) – Vadzim Mar 08 '20 at 18:04

4 Answers4

31

I've worked around this by creating a script that overwrites the policies I don't want in the registry (you can use the "REG" command in a batch script). This script can be set to run using Task Scheduler, immediately after the Group Policy client finishes applying the policy, by using "On an event" as the trigger.

The best event trigger that I have found is Log: Microsoft-Windows-GroupPolicy/Operational, Source: GroupPolicy, and Event ID: 8004, but you can check the event viewer logs for some additional possibilities.

Truisms Hounds
  • 419
  • 4
  • 3
  • 4
    Dude you are my hero. Folks don't forget that if you are modifying registry keys (like for windows firewall) that you need to restart the service in question for it to pick up your changes. – brakertech Dec 17 '17 at 04:00
29

There are always way to hack around central policies if you have local admin access - at a minimum you can make your changes locally to the registry and hack the security settings so they can't be updated by the group policy agent - but it isn't the best way to go. I'll admit to doing it 10 years ago.. but really.. don't. There are unanticipated results in a lot of cases.

See this technet article. The order for policy application is effectively:

  1. Local
  2. Site
  3. Domain
  4. OU

Later policies will overwrite earlier ones.

Your best bet is to make a computer group and use that group to either exclude your custom computers from the password complexity policy or assemble a new policy that'll override these defaults, filtered to only apply to this group.

Andy
  • 187
  • 1
  • 12
Tim Brigham
  • 15,545
  • 10
  • 75
  • 115
  • 6
    Thank you. Very informative. That is very dumb though. A local admin should have complete power over that particular local machine just like Linux root. – hkkhkhhk May 08 '14 at 16:27
  • 3
    @hkkhkhhk - even root in Linux has limits. :) If you are using a centralized management product like Puppet or Chef they'll keep pushing out their policies and revert changes made by the local root account, just like group policy. The design is intentional - it forces folks to to use scalable methods. – Tim Brigham May 08 '14 at 16:32
  • 1
    But as Linux root I can always tell Puppet to GTFO if I need ;). What I mean is that local configuration always beats remote (think NIS+ or LDAP authentication). All the puppet deamon is doing is basically pushing out configs that are applied locally. – hkkhkhhk May 08 '14 at 16:51
  • 13
    @hkkhkhhk - It's not a "dumb" design. A domain admin always trumps local admin. That's the whole point. –  May 08 '14 at 18:50
  • 1
    To add to hkkhkhhk's comment: If you are a local admin and you do not like to be trumped by the domain admin you have the power to leave the domain. However, you do not have the power to override the rules of the domain set forth by the group policy. (Well, you have, but only by hacking as described in the answer.) – Martin Liversage Oct 07 '14 at 12:45
  • If I was able to easily override domain admin with local admin that would be security hell. Esp because in a lot of domain environments all the local admin passwords have the same passwords. Say I had local at school. I'd be able to change screensavers and add login messages like crazy to mess with people. Local privileges aren't hard to get with local access, esp if it's an unencrypted HD, whether that's in Linux or Windows. – Michael Bailey Jul 03 '15 at 04:47
  • How can you "hack" to circumvent the policy? I am an admin and a developer. I need to change the date/time to test my application. However Group Policies prevent that. Please advise. I can remove the PC but then I lose access to the network resources so it's not really an option. – software is fun Oct 11 '16 at 15:46
  • @softwareisfun you can stop the windows time service and adjust your clock. Be careful though - if your clock is more then 5 minutes of from the domain controller authentication will fail and bag things may happen. A dedicated non domain system is the best way to test if you can. – Tim Brigham Oct 11 '16 at 16:54
  • @TimBrigham - `hack the security settings so they can't be updated by the group policy agent` - how would you do this? I only know how to disable GPO updates until user logout, but can one disable GPO updates permanently? Indeed, local GPO's, configured after domain GPOs have been applied, will take effect until the computer updates its domain (AD) GPOs? – Shuzheng Feb 18 '20 at 11:21
  • @Shuzheng: Individual registry keys have security settings of their own, much like file directories do. Now, you could find the relevant registry keys and revoke the write access of the SYSTEM user to them (the group policy client service runs as a SYSTEM user), thus preventing the group policy client from updating them. At least this is how I think it could be done. However, permissions to individual keys might well get reset while app updates are installed (I have observed this to happen before), so you may need to reapply your permission changes from time to time. – pinjaliina Aug 07 '23 at 10:52
4

A potential solution, using Windows 10 Enterprise. I haven't tested it in a domain environment. I tested it locally, and it prevented c:\gpupdate /force from working entirely. If I understand the mechanism correctly, I presume this will break a foundation component, and therefore guarantee's the user 100% success rate. I used a tool that lets me run binaries with TrustedInstaller/System authority. Sordum PowerRun in my case. The binary I ran with these elevated permissions was "services.msc". I then Stopped(if started) and disabled Group Policy Client (service name: gpsvc). It's at this point that c:\gpupdate /force no longer functioned. I'm not joined to a domain, but the disabled startup type persisted through reboots. So the idea is, you revert/change/override/whatever group policies inherited from the domain controllers, then disable the gpsvc service before another automated gpupdate fires off. Most of this is my theory, but I like this solution if it works, because I subjectively feel it has a high level of plausible deniability. "uhh.. must be the ram going bad, flippin bits and whatnot"

Edit: Did find a quirk, the firewall turns itself off if gpsvc is disabled :|

Northstrider
  • 141
  • 2
  • I tried it and my firewall is still active. I just got a notification at login saying the service was disabled, but that aside, everything seems to be working just fine. – vctls Oct 23 '20 at 10:43
-3

Remove it from the domain... do whatever you need to do to the machine then re add it. depending how your GPO is set up this works in most situations. Either way i would run it by the IA mafia and get something in writing stating whatever your doing is authorized. Especially considering in most situations a security violation as a sysadmin can result in immediate termination.

darrell
  • 15
  • 3
    This has a very little chance of working. Next time the group policy sync comes through, everything's changed again. – mstaessen Mar 14 '16 at 15:15