shanna1017
asked on
Using a security group to deny access to default domain policy
I have automatic updates configured in our default domain policy and i'd like to exclude our production servers from it. I set up a security group and added all the computer accounts for the servers I want excluded. Then I added that security group to the group policy and checked deny apply policy. When I doa gpupdate and gpresult it still shows that it's applying the default domain policy. on the other hand, if I add just a single machine account to the ACL of the default domain policy and check the deny apply group policy it works as expected. when I run gpresult it shows that it's been blocked by the ACL.
Why won't this work with a security group containing the machine accounts?
Why won't this work with a security group containing the machine accounts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi shanna1017,
you can use security filtering based on security groups as long as the groups is under the same OU
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/filter.mspx?mfr=true
Cheers!
you can use security filtering based on security groups as long as the groups is under the same OU
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/filter.mspx?mfr=true
Cheers!
ASKER
I will give your suggestion a try.