Local administrator accounts on Windows workstations can arbitrarily edit the registry and thus override many Group Policy settings initially applied. The best approach is not to grant local administrative privileges but it can't always be done, and in most cases isn't convenient.
For example, a number of pieces of software will only run as privileged user. Installing software will also require administrative privileges in many cases.
To prevent Group Policy workaround, the following might be a solution:
Open
Computer Configuration \ Administrative Templates \ System \ Group Policy
Look for the policies with names ending in "...policy processing". Open every such policy and select the checkbox "Process even if the Group Policy objects have not changed". This will force these policies to always be applied regardless of whether the GPO settings have actually changed or not.
This will make any local changes be undone next time the Group Policy is refreshed in the background.
For example, a number of pieces of software will only run as privileged user. Installing software will also require administrative privileges in many cases.
To prevent Group Policy workaround, the following might be a solution:
Open
Computer Configuration \ Administrative Templates \ System \ Group Policy
Look for the policies with names ending in "...policy processing". Open every such policy and select the checkbox "Process even if the Group Policy objects have not changed". This will force these policies to always be applied regardless of whether the GPO settings have actually changed or not.
This will make any local changes be undone next time the Group Policy is refreshed in the background.
