I have an urgent need to locally disable all GPOs from being pushed to a group of about 400 PCs and Servers.
Background:
I am in a rather large medical facility. IT manages daily work PCs (email, office, internet access), Biomed IT manages all Medical Systems (segregated through VLANS and ACLs). I am Biomed IT, our medical systems, though in an OU that isn't supposed to receive
updates, still receives updates about once a week. When this happens, the device is no longer certified for medical use (last week we had to spend $45k to get a vendor back out to re-image). The latest IT stunt pushed from region was to remove all admin rights
from both local IT and Biomed IT. While we are trying to restore access...
I need to find a way to block any and all policies being pushed to these devices without having domain admin rights. Most of these machines are setup with local admin accounts or with a Biomed Admin group given local admin rights.
To make things worse, this is a government facility in which IT will not make any domain side changes for us. Even though the FDA says these machines must be excluded, IT has simply said NO. The only option we have been able to come up with is to force the IT policies out of the medical systems so situations like this do not affect patient care. We have been denied (by the directors office) a request to put in place our own domain to manage these systems. All I would need is a trust to allow the users to continue to use their existing domain logins, but was also shot down by IT not allowing trusts. We have requested delegation to manage this OU and been denied.
My thoughts were to:
a) block required ports for updating on the Cisco ACLs or
b) to find a way to block domain policies through some local settings.
So far, all my searches have come up short on providing enough information to move forward with any certainty.
Any suggestions or recommendations is greatly appreciated.