Disable group policy from a workstation [closed]

group-policy runas

How can I, as a Workstation Administrator, disable Group Policy on that workstation?

The Domain Administrator is feeding utter garbage via Group Policy and I want it stopped.

Last antic: turning on automatic updates globally. Result: build server started making bad builds.

Education of this Domain Administrator is a hopeless cause.

Really, I don't trust the domain except for logins anymore.

EDIT: Actual answer for how to do this (I can't add the answer as question is closed):

  1. Create local admin account on workstation
  2. Log in to local admin account
  3. Un-join domain
  4. run gpedit.msc and unset all domain policies
  5. change local shell to runas /netonly /user:domain\username explorer.exe
Presto, non-domain, non-gpo machine that uses universal sign-on (well, almost -- you do get asked for your password twice).

Solution 1:

The old "us versus them" battle (or more appropriately the old "developers versus sysadmins" battle). Maybe a conversation is in order here between the development staff\management and the system administration staff\management. There can be no winners if the two sides don't find a way to work together toward the company's common goals. Technology ultimately can't fix what is, at it's essence, a political, ego-driven problem.

Solution 2:

My opinion: This is not a technical problem with regard to locking out domain management from your machines.

This is about communication (and business process and policies and maybe service or operational agreements) between your group and whatever group sets the AD policies.

You need to document what your requirements are for the server and then work out if that means things like no global updates and that means bosses need to agree to it to. Likewise, they probably have other requirements that they need to communicate. There's got to be a compromise that is workable for both sides...both groups just need to be committed to finding it.

If, once there is a workable agreement in place, they keep breaking things in violation of that agreement, then it's time to call them on it and escalate. You start showing the impact of the build server broken for example, complaining to bosses, etc.

Related

What is the best way to harden Windows Server 2008 R2?
Limit total bandwidth use per user
OpenLDAP ACL to allow users to change their password
Is it possible to configure HAProxy to choose a backend server based on a request's source IP? If so, how?
What's the difference between sysadmin and an IT Consultant? [closed]
How do you manage your Mac workstations?
Should I host my entire web application using https?
DNSSEC NSEC3 opt-out
Program to snapshot changes made during an install?
Hyper-V Server - Can't UnJoin An Orphaned Domain
Linux: Allow/restrict IP bind permissions by user
Wildcard DNS, VirtualHosts on apache2, 404 for unused subdomains