Solved

How to exclude a user or group from a Computer Configuration Group Policy

Posted on 2006-07-14
15
538 Views
Last Modified: 2011-09-20
I am in the middle of testing an IP Security Policy under the Computer Configuration Group Policy that restricts internet access but allow Intranet access. The policy works great, but I am stuck trying to figure out how to exclude the IT department group or even users from being restricted from browsing the internet. Obviously if someone in IT must troubleshoot the PC, I do not want them to be restricted from the internet. Please advise.
0
Comment
Question by:dwilson7
  • 6
  • 3
  • 2
  • +3
15 Comments
 
LVL 30

Expert Comment

by:ded9
ID: 17107824
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 17107833
First, download and install Group Policy Management Console:

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

It will make your group policy administration easy. You can install it on any Windows XP or Windows 2003, even if your domain controllers are 2000.

Well, to avoid GP inheritance, just go to the IT Organizational Unit (if you dont have your IT partners apart in your own OU, the time has come to do that), right click it and choose "Block inheritance" and your are done.
0
 
LVL 25

Expert Comment

by:Ron M
ID: 17107884
First....Get GPMC (Group Policy Management Console) from Microsoft.com

Makes using group policy objects alot easier.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

The above can be installed on Windows XP pro as well.

Using GPMC.....
Select your group policy object in the tree view. (default domain policy)
In the "Security Filtering" pane it shows the list of users/groups that have permissions to the see and apply this GPO object.  This should say "authenticated users"....meaning everyone who logs on.  Now on the "delegation" tab, you will see an "advanced" button on the bottom right.  Click it.  Now add the group you want to exclude from this GPO.....for instance "Accounting Users", and select DENY "apply group policy".

Deny permissions always take precedent over allow, therefore any member of that group would be able to read the GPO, but not apply it to their machines.

Simple.

The other way would be to use organizational units within AD and apply only GPO's per OU as needed.  The above is the Microsoft "perfect world" recommendation.


good luck.
0
 

Author Comment

by:dwilson7
ID: 17108265
Thanks for all the comments, I guess I need to make myself my clearer. I do have the GPMC loaded and working in a Windows 2003 domain. This policy will apply to only one OU that has about 50 PC's, therefore blocking inheritance won't do me any good, I think. I've tried the Deny" Applying Group Policy" in the security tab as well. Any other suggestions?
0
 
LVL 3

Expert Comment

by:Newsboy
ID: 17110167
So let me get this straight, you're applying a GP to your computers but you want it to apply only to certain Users. I could be wrong but I don't think that'll work. Computer policies are applied when the computer boots up, then the user policies are applied when the user logs in. This means that the computer policy is already applied and won't change do to someone that logs in. Can you do what you need to do with the user policies so it's already dependent on who logs in?
0
 

Author Comment

by:dwilson7
ID: 17110542
I've tried user poicies but the issue is that user's bounce around between departments so much that we couldn't keep up. I work in a hospital so there are so many employees that come and go and of course we the last to know when these changes are being made. To answer you question, I want this policy to apply to everyone, except for the users in IT department. Like I said, the policy works, but I can not figure out how to exclude the IT staff from having this policy applied to them.
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 17111061
Just create another OU inside the existing one. Put all your IT objects inside this OU and block inheritance. Just like this:

OU 1: Our Computers
           |
           |
           \
             ------------ Sub OU: IT Staff
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:dwilson7
ID: 17111108
thanks, i'll try that.
0
 
LVL 3

Expert Comment

by:Newsboy
ID: 17111159
What's your OU stucture like? Are all of the employees in a single OU or are the seperated?

Example 1
OU 1: Doctors
OU 2: Nurses
OU 3: Kitchen Staff
OU 4: IT Staff

Example 2
OU 1: All Users

Example 3
OU 1: All Users
     |
     \
      ------------OU 2: Doctors
     |
     \
      ------------OU 3: Nurses
     |
     \
      ------------OU 4: Kitchen Staff
     |
     \
      ------------OU 5: IT Staff

I know that every organization sets these up differently but how you have it setup makes a huge difference as to how to make this work. Also how are your computer setup, in their own OU's or mixed in with the users.
0
 

Author Comment

by:dwilson7
ID: 17111257
OU - Accting
          -Computers
          -Managers
          -Employees
0
 

Author Comment

by:dwilson7
ID: 17111275
Forgot to mention all the departments are setup like the OU sample from above. Basically, the next deparment would look like:

HR
  -Computers
  -Managers
  -Employees

and so forth.
0
 
LVL 3

Accepted Solution

by:
Newsboy earned 125 total points
ID: 17111379
I still don't think that blocking inheritance will work because you blocking policies that aren't applied to the user anyways, they're applied to the computers. When a user is created they are then placed into the OU for their department, correct? So if that OU had the settings that restricted them from accessing the internet the would automatically be applied. I would create the GPO then link it to the Employees OU for each department. I could be wrong but I think that the only way to do it the way you want is to use the Users option.

Good Luck
0
 

Author Comment

by:dwilson7
ID: 17111916
I'll give that a try.
0
 
LVL 7

Expert Comment

by:nttranbao
ID: 17120272
I see. for the unaffected users, assign the DENY READ to that policy. Or you can add those to a GROUP, and assign the DENY READ to that policy.

I'm pretty sure because I have tried this successfully.

0
 
LVL 7

Expert Comment

by:nttranbao
ID: 17120285
ALSO set the APPLY POLICY to Deny.

Conclusions : set DENY to Both READ POLICY and APPLY POLICY

See references : http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/Filter.htm
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now