Cannot disable group policy inheritance from domain
At work, my computer (Windows 10) is part of a local domain.
I added a few local group policies, and after noticing they were not being applied, I ran gpresult /H gp_report.html and it returned:
INFO: The user does not have RSoP data.
After running gpupdate /force I found that the file at \[domainname.local]sysvol[domainname.local]Policies{31B2F340-016D-11D2-945F-00C04FB984F9}gpt.ini was corrupt because of a ransomware attack a while ago.
For the time being I replaced the file with a clean copy, and after gpupdate /force my policies are working. But I'm wondering whether and how I can disable the domain policies, so that only local policies are applied, while still having my PC connected to the domain.
I installed Remote Server Administration Tools in order to attempt the process outlined here (disable Group Policy object inheritance), but upon launching gpmc.msc I get an error stating:
The specified domain either does not exist or could not be contacted.
I can click "Choose a different domain controller" and two domain controllers are listed, but selecting either of them loads an empty tree.
Also tried Set-GPinheritance -Target "dc=[domainname.local]" -IsBlocked Yes according to this reference but it returns:
Set-GPinheritance : The specified domain either does not exist or
could not be contacted. (Exception from HRESULT: 0x8007054B)
[TL;DR] Currently at a loss. I want to disable the inherited group policies while still being connected to the domain. But my attempts have so far failed. Can it be done?
Note: For answers, please assume that any local policy will not work (as if I had not fixed the domain server policies).
Thanks.
windows domain group-policy
asked Jan 15 at 17:10
Marc.2377Marc.2377
12911
migrated from superuser.com Jan 15 at 18:30
This question came from our site for computer enthusiasts and power users.
add a comment |
At work, my computer (Windows 10) is part of a local domain.
I added a few local group policies, and after noticing they were not being applied, I ran gpresult /H gp_report.html and it returned:
INFO: The user does not have RSoP data.
After running gpupdate /force I found that the file at \[domainname.local]sysvol[domainname.local]Policies{31B2F340-016D-11D2-945F-00C04FB984F9}gpt.ini was corrupt because of a ransomware attack a while ago.
For the time being I replaced the file with a clean copy, and after gpupdate /force my policies are working. But I'm wondering whether and how I can disable the domain policies, so that only local policies are applied, while still having my PC connected to the domain.
I installed Remote Server Administration Tools in order to attempt the process outlined here (disable Group Policy object inheritance), but upon launching gpmc.msc I get an error stating:
The specified domain either does not exist or could not be contacted.
I can click "Choose a different domain controller" and two domain controllers are listed, but selecting either of them loads an empty tree.
Also tried Set-GPinheritance -Target "dc=[domainname.local]" -IsBlocked Yes according to this reference but it returns:
Set-GPinheritance : The specified domain either does not exist or
could not be contacted. (Exception from HRESULT: 0x8007054B)
[TL;DR] Currently at a loss. I want to disable the inherited group policies while still being connected to the domain. But my attempts have so far failed. Can it be done?
Note: For answers, please assume that any local policy will not work (as if I had not fixed the domain server policies).
Thanks.
windows domain group-policy
asked Jan 15 at 17:10
Marc.2377Marc.2377
12911
migrated from superuser.com Jan 15 at 18:30
This question came from our site for computer enthusiasts and power users.
You should be able to configure any local policy that isn't configured at the domain. However, any policy enforced by the domain, cannot be overridden by a local policy. It does not make sense to enforce only local policies if you are connected to a domain which has policy enforcement enabled.
– Ramhound
Jan 15 at 17:51
@marsh-wiggle still no good, same error. I did manage to change the error message by passing-Server "[servername]". Now it returns "A referral was returned from the server. (Exception from HRESULT: 0x8007202B)".
– Marc.2377
Jan 15 at 19:16
add a comment |
At work, my computer (Windows 10) is part of a local domain.
I added a few local group policies, and after noticing they were not being applied, I ran gpresult /H gp_report.html and it returned:
INFO: The user does not have RSoP data.
After running gpupdate /force I found that the file at \[domainname.local]sysvol[domainname.local]Policies{31B2F340-016D-11D2-945F-00C04FB984F9}gpt.ini was corrupt because of a ransomware attack a while ago.
For the time being I replaced the file with a clean copy, and after gpupdate /force my policies are working. But I'm wondering whether and how I can disable the domain policies, so that only local policies are applied, while still having my PC connected to the domain.
I installed Remote Server Administration Tools in order to attempt the process outlined here (disable Group Policy object inheritance), but upon launching gpmc.msc I get an error stating:
The specified domain either does not exist or could not be contacted.
I can click "Choose a different domain controller" and two domain controllers are listed, but selecting either of them loads an empty tree.
Also tried Set-GPinheritance -Target "dc=[domainname.local]" -IsBlocked Yes according to this reference but it returns:
Set-GPinheritance : The specified domain either does not exist or
could not be contacted. (Exception from HRESULT: 0x8007054B)
[TL;DR] Currently at a loss. I want to disable the inherited group policies while still being connected to the domain. But my attempts have so far failed. Can it be done?
Note: For answers, please assume that any local policy will not work (as if I had not fixed the domain server policies).
Thanks.
windows domain group-policy
asked Jan 15 at 17:10
Marc.2377Marc.2377
12911
At work, my computer (Windows 10) is part of a local domain.
I added a few local group policies, and after noticing they were not being applied, I ran gpresult /H gp_report.html and it returned:
INFO: The user does not have RSoP data.
After running gpupdate /force I found that the file at \[domainname.local]sysvol[domainname.local]Policies{31B2F340-016D-11D2-945F-00C04FB984F9}gpt.ini was corrupt because of a ransomware attack a while ago.
For the time being I replaced the file with a clean copy, and after gpupdate /force my policies are working. But I'm wondering whether and how I can disable the domain policies, so that only local policies are applied, while still having my PC connected to the domain.
I installed Remote Server Administration Tools in order to attempt the process outlined here (disable Group Policy object inheritance), but upon launching gpmc.msc I get an error stating:
The specified domain either does not exist or could not be contacted.
I can click "Choose a different domain controller" and two domain controllers are listed, but selecting either of them loads an empty tree.
Also tried Set-GPinheritance -Target "dc=[domainname.local]" -IsBlocked Yes according to this reference but it returns:
Set-GPinheritance : The specified domain either does not exist or
could not be contacted. (Exception from HRESULT: 0x8007054B)
[TL;DR] Currently at a loss. I want to disable the inherited group policies while still being connected to the domain. But my attempts have so far failed. Can it be done?
Note: For answers, please assume that any local policy will not work (as if I had not fixed the domain server policies).
Thanks.
windows domain group-policy
windows domain group-policy
asked Jan 15 at 17:10
Marc.2377Marc.2377
12911
asked Jan 15 at 17:10
Marc.2377Marc.2377
12911
edited Jan 15 at 19:21
Marc.2377
asked Jan 15 at 17:10
Marc.2377Marc.2377
12911
asked Jan 15 at 17:10
Marc.2377Marc.2377
12911
asked Jan 15 at 17:10
Marc.2377Marc.2377
12911
12911
migrated from superuser.com Jan 15 at 18:30
This question came from our site for computer enthusiasts and power users.
migrated from superuser.com Jan 15 at 18:30
This question came from our site for computer enthusiasts and power users.
You should be able to configure any local policy that isn't configured at the domain. However, any policy enforced by the domain, cannot be overridden by a local policy. It does not make sense to enforce only local policies if you are connected to a domain which has policy enforcement enabled.
– Ramhound
Jan 15 at 17:51
@marsh-wiggle still no good, same error. I did manage to change the error message by passing-Server "[servername]". Now it returns "A referral was returned from the server. (Exception from HRESULT: 0x8007202B)".
– Marc.2377
Jan 15 at 19:16
add a comment |
You should be able to configure any local policy that isn't configured at the domain. However, any policy enforced by the domain, cannot be overridden by a local policy. It does not make sense to enforce only local policies if you are connected to a domain which has policy enforcement enabled.
– Ramhound
Jan 15 at 17:51
@marsh-wiggle still no good, same error. I did manage to change the error message by passing-Server "[servername]". Now it returns "A referral was returned from the server. (Exception from HRESULT: 0x8007202B)".
– Marc.2377
Jan 15 at 19:16
You should be able to configure any local policy that isn't configured at the domain. However, any policy enforced by the domain, cannot be overridden by a local policy. It does not make sense to enforce only local policies if you are connected to a domain which has policy enforcement enabled.
– Ramhound
Jan 15 at 17:51
You should be able to configure any local policy that isn't configured at the domain. However, any policy enforced by the domain, cannot be overridden by a local policy. It does not make sense to enforce only local policies if you are connected to a domain which has policy enforcement enabled.
– Ramhound
Jan 15 at 17:51
@marsh-wiggle still no good, same error. I did manage to change the error message by passing
-Server "[servername]". Now it returns "A referral was returned from the server. (Exception from HRESULT: 0x8007202B)".– Marc.2377
Jan 15 at 19:16
@marsh-wiggle still no good, same error. I did manage to change the error message by passing
-Server "[servername]". Now it returns "A referral was returned from the server. (Exception from HRESULT: 0x8007202B)".– Marc.2377
Jan 15 at 19:16
add a comment |
3 Answers
3
active
oldest
votes
You can disable background refresh - Through gpedit.msc, Computer Configuration -> Administrative Templates -> System -> Group Policy. Set Turn off background refresh of Group Policy to Enabled.
Also, you can clear items from the Policies folders under HKCU/HKLM SoftwarePolicies and HKCU/HKLM Software/Microsoft/Windows/CurrentVersion/Policies and set permissions on the key to 'Read' for any accounts listed with greater than that.
answered Jan 15 at 19:10
John ProvencherJohn Provencher
6
add a comment |
You seem to have another problem, your default domain policy seem broke if your console is empty, you will have to reset your GPO. Got a backup ? (or you are not an domain admin ?)
dcgpofix /ignoreschema /target:Domain
The default domain policy is enabled by default for all computer object, but it set only password option and such.
Blocking the inheritance from an OU is the valid way to do it, so I think you got a corruption in your SYSVOL policy's folder.
answered Jan 15 at 19:22
yagmoth555♦yagmoth555
11.6k31742
Thanks. I'm not the domain admin; he is currently on vacation and won't be around for another week. The domain server is indeed faulty, thus I was left wondering if I can remove the link so that my local policies will work.
– Marc.2377
Jan 15 at 20:06
add a comment |
I found that passing the -Server parameter to the powershell cmdlet makes it work. However, running Set-GPinheritance -Target "dc=[domainname.local]" -IsBlocked Yes didn't fix my broken local policy issue.
So I took the steps listed below from PowerShell as admin:
(Get-GPInheritance -Target "dc=[domainname],dc=local" -Server "[servername]").GpoLinks | foreach-object {echo $_}
This will return a list like the following:
Take note of the GpoId property. Now run:
Set-GPLink -Guid "[GpoId from previous step]" -Target "dc=[domainname],dc=local" -LinkEnabled No -Server "[servername]"
After that, running gpupdate.exe /force works correctly.
References:
Set-GPLink and GroupPolicy module (Microsoft Docs)
answered Jan 15 at 23:43
Marc.2377Marc.2377
12911
Blocking inheritance at the top level of the domain won't do anything, since there's nothing higher up to be blocked. You'd have to block it on the OU your machine is in.
– Harry Johnston
Jan 16 at 2:03
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f949217%2fcannot-disable-group-policy-inheritance-from-domain%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can disable background refresh - Through gpedit.msc, Computer Configuration -> Administrative Templates -> System -> Group Policy. Set Turn off background refresh of Group Policy to Enabled.
Also, you can clear items from the Policies folders under HKCU/HKLM SoftwarePolicies and HKCU/HKLM Software/Microsoft/Windows/CurrentVersion/Policies and set permissions on the key to 'Read' for any accounts listed with greater than that.
answered Jan 15 at 19:10
John ProvencherJohn Provencher
6
add a comment |
You can disable background refresh - Through gpedit.msc, Computer Configuration -> Administrative Templates -> System -> Group Policy. Set Turn off background refresh of Group Policy to Enabled.
Also, you can clear items from the Policies folders under HKCU/HKLM SoftwarePolicies and HKCU/HKLM Software/Microsoft/Windows/CurrentVersion/Policies and set permissions on the key to 'Read' for any accounts listed with greater than that.
answered Jan 15 at 19:10
John ProvencherJohn Provencher
6
add a comment |
You can disable background refresh - Through gpedit.msc, Computer Configuration -> Administrative Templates -> System -> Group Policy. Set Turn off background refresh of Group Policy to Enabled.
Also, you can clear items from the Policies folders under HKCU/HKLM SoftwarePolicies and HKCU/HKLM Software/Microsoft/Windows/CurrentVersion/Policies and set permissions on the key to 'Read' for any accounts listed with greater than that.
answered Jan 15 at 19:10
John ProvencherJohn Provencher
6
You can disable background refresh - Through gpedit.msc, Computer Configuration -> Administrative Templates -> System -> Group Policy. Set Turn off background refresh of Group Policy to Enabled.
Also, you can clear items from the Policies folders under HKCU/HKLM SoftwarePolicies and HKCU/HKLM Software/Microsoft/Windows/CurrentVersion/Policies and set permissions on the key to 'Read' for any accounts listed with greater than that.
answered Jan 15 at 19:10
John ProvencherJohn Provencher
6
answered Jan 15 at 19:10
John ProvencherJohn Provencher
6
answered Jan 15 at 19:10
John ProvencherJohn Provencher
6
answered Jan 15 at 19:10
John ProvencherJohn Provencher
6
6
add a comment |
add a comment |
You seem to have another problem, your default domain policy seem broke if your console is empty, you will have to reset your GPO. Got a backup ? (or you are not an domain admin ?)
dcgpofix /ignoreschema /target:Domain
The default domain policy is enabled by default for all computer object, but it set only password option and such.
Blocking the inheritance from an OU is the valid way to do it, so I think you got a corruption in your SYSVOL policy's folder.
answered Jan 15 at 19:22
yagmoth555♦yagmoth555
11.6k31742
Thanks. I'm not the domain admin; he is currently on vacation and won't be around for another week. The domain server is indeed faulty, thus I was left wondering if I can remove the link so that my local policies will work.
– Marc.2377
Jan 15 at 20:06
add a comment |
You seem to have another problem, your default domain policy seem broke if your console is empty, you will have to reset your GPO. Got a backup ? (or you are not an domain admin ?)
dcgpofix /ignoreschema /target:Domain
The default domain policy is enabled by default for all computer object, but it set only password option and such.
Blocking the inheritance from an OU is the valid way to do it, so I think you got a corruption in your SYSVOL policy's folder.
answered Jan 15 at 19:22
yagmoth555♦yagmoth555
11.6k31742
Thanks. I'm not the domain admin; he is currently on vacation and won't be around for another week. The domain server is indeed faulty, thus I was left wondering if I can remove the link so that my local policies will work.
– Marc.2377
Jan 15 at 20:06
add a comment |
You seem to have another problem, your default domain policy seem broke if your console is empty, you will have to reset your GPO. Got a backup ? (or you are not an domain admin ?)
dcgpofix /ignoreschema /target:Domain
The default domain policy is enabled by default for all computer object, but it set only password option and such.
Blocking the inheritance from an OU is the valid way to do it, so I think you got a corruption in your SYSVOL policy's folder.
answered Jan 15 at 19:22
yagmoth555♦yagmoth555
11.6k31742
You seem to have another problem, your default domain policy seem broke if your console is empty, you will have to reset your GPO. Got a backup ? (or you are not an domain admin ?)
dcgpofix /ignoreschema /target:Domain
The default domain policy is enabled by default for all computer object, but it set only password option and such.
Blocking the inheritance from an OU is the valid way to do it, so I think you got a corruption in your SYSVOL policy's folder.
answered Jan 15 at 19:22
yagmoth555♦yagmoth555
11.6k31742
answered Jan 15 at 19:22
yagmoth555♦yagmoth555
11.6k31742
answered Jan 15 at 19:22
yagmoth555♦yagmoth555
11.6k31742
answered Jan 15 at 19:22
yagmoth555♦yagmoth555
11.6k31742
11.6k31742
Thanks. I'm not the domain admin; he is currently on vacation and won't be around for another week. The domain server is indeed faulty, thus I was left wondering if I can remove the link so that my local policies will work.
– Marc.2377
Jan 15 at 20:06
add a comment |
Thanks. I'm not the domain admin; he is currently on vacation and won't be around for another week. The domain server is indeed faulty, thus I was left wondering if I can remove the link so that my local policies will work.
– Marc.2377
Jan 15 at 20:06
Thanks. I'm not the domain admin; he is currently on vacation and won't be around for another week. The domain server is indeed faulty, thus I was left wondering if I can remove the link so that my local policies will work.
– Marc.2377
Jan 15 at 20:06
Thanks. I'm not the domain admin; he is currently on vacation and won't be around for another week. The domain server is indeed faulty, thus I was left wondering if I can remove the link so that my local policies will work.
– Marc.2377
Jan 15 at 20:06
add a comment |
I found that passing the -Server parameter to the powershell cmdlet makes it work. However, running Set-GPinheritance -Target "dc=[domainname.local]" -IsBlocked Yes didn't fix my broken local policy issue.
So I took the steps listed below from PowerShell as admin:
(Get-GPInheritance -Target "dc=[domainname],dc=local" -Server "[servername]").GpoLinks | foreach-object {echo $_}
This will return a list like the following:
Take note of the GpoId property. Now run:
Set-GPLink -Guid "[GpoId from previous step]" -Target "dc=[domainname],dc=local" -LinkEnabled No -Server "[servername]"
After that, running gpupdate.exe /force works correctly.
References:
Set-GPLink and GroupPolicy module (Microsoft Docs)
answered Jan 15 at 23:43
Marc.2377Marc.2377
12911
Blocking inheritance at the top level of the domain won't do anything, since there's nothing higher up to be blocked. You'd have to block it on the OU your machine is in.
– Harry Johnston
Jan 16 at 2:03
add a comment |
I found that passing the -Server parameter to the powershell cmdlet makes it work. However, running Set-GPinheritance -Target "dc=[domainname.local]" -IsBlocked Yes didn't fix my broken local policy issue.
So I took the steps listed below from PowerShell as admin:
(Get-GPInheritance -Target "dc=[domainname],dc=local" -Server "[servername]").GpoLinks | foreach-object {echo $_}
This will return a list like the following:
Take note of the GpoId property. Now run:
Set-GPLink -Guid "[GpoId from previous step]" -Target "dc=[domainname],dc=local" -LinkEnabled No -Server "[servername]"
After that, running gpupdate.exe /force works correctly.
References:
Set-GPLink and GroupPolicy module (Microsoft Docs)
answered Jan 15 at 23:43
Marc.2377Marc.2377
12911
Blocking inheritance at the top level of the domain won't do anything, since there's nothing higher up to be blocked. You'd have to block it on the OU your machine is in.
– Harry Johnston
Jan 16 at 2:03
add a comment |
I found that passing the -Server parameter to the powershell cmdlet makes it work. However, running Set-GPinheritance -Target "dc=[domainname.local]" -IsBlocked Yes didn't fix my broken local policy issue.
So I took the steps listed below from PowerShell as admin:
(Get-GPInheritance -Target "dc=[domainname],dc=local" -Server "[servername]").GpoLinks | foreach-object {echo $_}
This will return a list like the following:
Take note of the GpoId property. Now run:
Set-GPLink -Guid "[GpoId from previous step]" -Target "dc=[domainname],dc=local" -LinkEnabled No -Server "[servername]"
After that, running gpupdate.exe /force works correctly.
References:
Set-GPLink and GroupPolicy module (Microsoft Docs)
answered Jan 15 at 23:43
Marc.2377Marc.2377
12911
I found that passing the -Server parameter to the powershell cmdlet makes it work. However, running Set-GPinheritance -Target "dc=[domainname.local]" -IsBlocked Yes didn't fix my broken local policy issue.
So I took the steps listed below from PowerShell as admin:
(Get-GPInheritance -Target "dc=[domainname],dc=local" -Server "[servername]").GpoLinks | foreach-object {echo $_}
This will return a list like the following:
Take note of the GpoId property. Now run:
Set-GPLink -Guid "[GpoId from previous step]" -Target "dc=[domainname],dc=local" -LinkEnabled No -Server "[servername]"
After that, running gpupdate.exe /force works correctly.
References:
Set-GPLink and GroupPolicy module (Microsoft Docs)
answered Jan 15 at 23:43
Marc.2377Marc.2377
12911
answered Jan 15 at 23:43
Marc.2377Marc.2377
12911
answered Jan 15 at 23:43
Marc.2377Marc.2377
12911
answered Jan 15 at 23:43
Marc.2377Marc.2377
12911
12911
Blocking inheritance at the top level of the domain won't do anything, since there's nothing higher up to be blocked. You'd have to block it on the OU your machine is in.
– Harry Johnston
Jan 16 at 2:03
add a comment |
Blocking inheritance at the top level of the domain won't do anything, since there's nothing higher up to be blocked. You'd have to block it on the OU your machine is in.
– Harry Johnston
Jan 16 at 2:03
Blocking inheritance at the top level of the domain won't do anything, since there's nothing higher up to be blocked. You'd have to block it on the OU your machine is in.
– Harry Johnston
Jan 16 at 2:03
Blocking inheritance at the top level of the domain won't do anything, since there's nothing higher up to be blocked. You'd have to block it on the OU your machine is in.
– Harry Johnston
Jan 16 at 2:03
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f949217%2fcannot-disable-group-policy-inheritance-from-domain%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You should be able to configure any local policy that isn't configured at the domain. However, any policy enforced by the domain, cannot be overridden by a local policy. It does not make sense to enforce only local policies if you are connected to a domain which has policy enforcement enabled.
– Ramhound
Jan 15 at 17:51
@marsh-wiggle still no good, same error. I did manage to change the error message by passing
-Server "[servername]". Now it returns "A referral was returned from the server. (Exception from HRESULT: 0x8007202B)".– Marc.2377
Jan 15 at 19:16