Hmm. This article will most likely be regularly republished, given the extent to which the phenomenon is recurrent and misleading...

When a laptop is the member of a domain, the laptop's local policies cannot be modified if it is offline, even if you are the administrator.

What is misleading is the fact that this will never be specified! Whilst you can happily modify the values of the policies (with GPEDIT.msc), your modifications will not be accepted.

You can only  modify them when the machine is connected to the domain, i.e., connected to the domain controller. And even here, you can only do so provided you have Windows rights.

Why? Insofar as this Windows behavior is concerned, we can provide the following explanation:

When the machine is a member of the domain, the domain governs the security strategies, or at least it has a hierarchical priority over the values defined. If the domain has defined (enabled with a value or disabled) the policy A item, a machine in the domain is not authorized to go against this directive, and cannot define a local value for this item. If the domain has not defined this item, defining a local value on the machine is simply not possible. Matters get increasingly complicated when the hierarchy is more extensive, but the basic principle is the same.

Consequently, when a domain-member laptop is not connected to the domain, you are unable to know whether a modification of policies (local) goes against a rule defined at a higher level. Even if the local cache contains the domain's policies (the last known configuration continues to apply when the machine is offline), these may have changed.

In practice, this is of little consequence, since by definition, the policies represent a relatively static configuration which is not changed often. Moreover, there is little reason for a laptop user to change them (in fact, more often than not, the user will not have Windows rights).

The few recognized situations are as follows:

• Someone tests the ZoneCentral product on a standard laptop (domain member) belonging to the organization, and continues his tests at home or offline. For his tests, he will want to try different policies and… will be surprised to find his values are not accepted;
  
• the master installation of policies / installation combined with the installation of ZoneCentral, for machines in a given domain, is carried out manually when the machine is not connected to the domain.

Example: the administrator has defined his policy values and, rather than managing them via the domain controller, has opted for creating a master, i.e., values assigned via the installation of ZoneCentral. ZoneCentral allows this. He creates a CD-ROM or places the image to install somewhere for the users or installers. He does not implement a remote installation.
In this case, there is a risk that a user or installer will copy the image to a machine, but without immediately proceeding with the installation, instead doing it later, possibly at home, on the train, or offline. In this situation, if the laptop is a domain member, the master policies will not be applied.

Comment 1: the remote installation would have resolved the problem, since by definition, it is done online…

Comment 2: when using a domain-based setup, it is much easier and more flexible to use it to manage and distribute the policies, without creating a master…

Note that the problem does not arise for a machine that is not a domain member (workgroup), since by definition it is not "controlled" by a hierarchy.