Make an exemption to a single user with GPO?

I have serval users in their own OU with a GPO applied.

For 1 user, I would like to make it so that the last logon name will not show on the screen when they logoff.

How can I modify or alter the GPO to allow this? Do I need to make another one?

Thanks.
ScottCLAsked:
Who is Participating?
 
tmackCommented:
Certainly this is not ideal, but I was just offering an option. With the new GPO management utility it’s very easy to trouble shoot GPO issues as you can just see what GPOs are applied to specific objects. The deny was just another option; I would not personally select that I would just not have the GPO applied to that individual.

My mistake in my first suggestion was that you want this to "apply" to only that user. So I would just create a GPO that has this option turned on and apply it only to them. That’s the best way to go.

Personally, I don’t make it a common practice to arbitrarily create OUs to suit a GPO schema as it can easily clutter up your AD infrastructure this is why I would avoid it.

If down the road you have more users that need this GPO applied then simply add them to the list of users the GPO is applied. Thus you can still maintain your OU structure.


T
0
 
joedoe58Commented:
Make a new OU and set a policy to that OU that do what you want. Even if it is one user today you do not know if there will be more users tomorrow
0
 
tmackCommented:
the best way to do this is not to "apply" the GPO setting in the GPO managment tool, go to the advanced settings to do this. So just add that user directly and remove that atribute and maybe ever "deny" the "apply" and it will keep it from applyoing to there account. Joe is correct to and make a new OU but depending on your organization that might not be a viable option.

T
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
joedoe58Commented:
It is always a good thing to be consistent when working with GPO's. If you make exceptions from a rule then you will soon find yourself in a mess since you do not know why a user has a problem. Therefore I recomend that you follow the same procedure to make exceptions as when your apply a rule, that way you have a consistent structure and it is much easier in the long run to make changes. As a rule of thumb you should try to never use deny in a GPO if it is possible to accomplish it in another way. I am saying this from experience, and I am sure that there are those that do not agree with me but still this is my opinion
0
 
ScottCLAuthor Commented:
So Joe, you would say to simply make a OU named something like "Logon Name Removed" or something, backup the current GPO, Restore to a new one in the new OU, make that single change to it, and move the user into it?
0
 
joedoe58Commented:
Sounds fine to me :-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.