Windows Domain Admin rights insufficient?

windows windows-7 windows-server-2008-r2 group-policy

I have a lab(ish) environment where I have a single domain in a single forest. I have a Windows 7 image for the clients that was given to my by my organization (I didn't build it, not entirely sure who did) and I'm finding that there are a number of items that users (even admin users, even domain admin users) can't change in the Windows 7 environment, including but not limited to Trusted Sites in IE, Power Options (specifically, configuring when to lock the display), etc. Those are the main two that I want to affect, but am presented the message that "some settings are controlled by your administrator.." that I've seen about a million posts about.

What I've tried so far - Group Policies - Registry settings - Local Security Policies - Unlocking the 'hidden' admin & using them - Adding the users to the 'restricted group'

None of these seem to have an effect. The Group policies are applied, and GPResult show the as I would expect. As an example, I see a custom power profile that I applied in a GPO, and it even sets all the settings as I had it, except the 'disable display' setting, which is still set to what it was w/o my policy, and is still grayed out to prevent change.

Is there anything else I can look at to regain control over my client machines?

**** UPDATE **** I didn't call it out before explicitly, but I have moved the computer into a new OU that doesn't inherit the GPO, and per suggestion I removed the machine from the domain. The settings remained in place. When that failed, I re-enabled the local admin and logged on as same to see if that would solve the issue, it did not. I suspected from the beginning that whatever the issue is was done at the image level, since all the workstations are built off the same image and (as demonstrated) it seems to be a setting that's neither set by the domain nor ignorable via group policies (at least not by means that I'm aware of)


Solution 1:

If the GPOs for these settings aren't defined on your domain, chances are that they are set in the Local Policy for the image.

Run gpedit.msc from the local machine and examine the settings there, I bet you'll find what you're looking for.

Solution 2:

The settings you "can't change" that give you the some settings are controlled by your administrator message are settings that are being controlled by GPO.

"Correcting" this involves stopping the GPOs that force these settings down from applying to the machine in question. You mention that you have domain admin rights, so...

[If you haven't done it already, you'll want to use RSAT.]

What you probably should do is create a Testing OU in AD, using Active Directory Users and Computers (%SystemRoot%\system32\dsa.msc), and move this machine into it. Then, using Group Policy Management (%SystemRoot%\system32\gpmc.msc), you'd want to block inheritance to that OU. Since you just created it, there shouldn't be any GPOs linked in it directly. Run gpupdate /force from a command line to apply the new [lack of] GPOs, and reboot. Then you'll be free to change the settings you want, or test GPOs on the machine as you see fit (by creating and linking them in that OU you created).

Alternately, as a one-off approach, you could always remove the machine from the domain, which will stop the GPOs from being applied to it as well.

I suppose you could also just change/remove the GPOs in question, but that's a global change that would apply to more than just your machine, so be careful. Also a great way to piss off your AD admin(s), if they exist, or discover why should have a professional admin handling your AD environment if they don't exist.

EDIT: As pointed out by MDMarra, this won't magically reverse [most of] the settings applied by GPO, but will allow you to change them to what you want. Changing them to what you want, after the GPOs are no longer applying, is a matter of using GPEdit.msc to edit the local policies, or using regedit to remove the following keys, as suggested here:

[HKEY_CURRENT_USER\Software\Policies\Microsoft]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

(Apologies, I got focused in on how to "regain control" from the domain, and didn't think about reversing the applied GPOs.)

Related

Domain of sender address does not resolve (in reply to MAIL FROM command)
How stable is the VMWare vCenter Server OVF and is there a better way to get HA features?
Install chrome extensions via GPO
AWS VPC Multiple IPs
GPO push install fails with error code 1603
Encrypted storage for clustered MySQL
Does my Centos server leak memory?
What is the rationale for using IPv6 Privacy Extensions for link-local (fe80::/64) addresses?
What should I use instead of MS-CHAP v2?
Locking Preferences in Mozilla
Copying/syncing email from a live server over network
SMTP authentication failure + PAM-MySQL cannot authenticate