Solved

How to exclude a user or group from a Computer Configuration Group Policy

Posted on 2006-07-14
15
544 Views
Last Modified: 2011-09-20
I am in the middle of testing an IP Security Policy under the Computer Configuration Group Policy that restricts internet access but allow Intranet access. The policy works great, but I am stuck trying to figure out how to exclude the IT department group or even users from being restricted from browsing the internet. Obviously if someone in IT must troubleshoot the PC, I do not want them to be restricted from the internet. Please advise.
0
Comment
Question by:dwilson7
  • 6
  • 3
  • 2
  • +3
15 Comments
 
LVL 30

Expert Comment

by:ded9
ID: 17107824
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 17107833
First, download and install Group Policy Management Console:

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

It will make your group policy administration easy. You can install it on any Windows XP or Windows 2003, even if your domain controllers are 2000.

Well, to avoid GP inheritance, just go to the IT Organizational Unit (if you dont have your IT partners apart in your own OU, the time has come to do that), right click it and choose "Block inheritance" and your are done.
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 17107884
First....Get GPMC (Group Policy Management Console) from Microsoft.com

Makes using group policy objects alot easier.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

The above can be installed on Windows XP pro as well.

Using GPMC.....
Select your group policy object in the tree view. (default domain policy)
In the "Security Filtering" pane it shows the list of users/groups that have permissions to the see and apply this GPO object.  This should say "authenticated users"....meaning everyone who logs on.  Now on the "delegation" tab, you will see an "advanced" button on the bottom right.  Click it.  Now add the group you want to exclude from this GPO.....for instance "Accounting Users", and select DENY "apply group policy".

Deny permissions always take precedent over allow, therefore any member of that group would be able to read the GPO, but not apply it to their machines.

Simple.

The other way would be to use organizational units within AD and apply only GPO's per OU as needed.  The above is the Microsoft "perfect world" recommendation.


good luck.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:dwilson7
ID: 17108265
Thanks for all the comments, I guess I need to make myself my clearer. I do have the GPMC loaded and working in a Windows 2003 domain. This policy will apply to only one OU that has about 50 PC's, therefore blocking inheritance won't do me any good, I think. I've tried the Deny" Applying Group Policy" in the security tab as well. Any other suggestions?
0
 
LVL 3

Expert Comment

by:Newsboy
ID: 17110167
So let me get this straight, you're applying a GP to your computers but you want it to apply only to certain Users. I could be wrong but I don't think that'll work. Computer policies are applied when the computer boots up, then the user policies are applied when the user logs in. This means that the computer policy is already applied and won't change do to someone that logs in. Can you do what you need to do with the user policies so it's already dependent on who logs in?
0
 

Author Comment

by:dwilson7
ID: 17110542
I've tried user poicies but the issue is that user's bounce around between departments so much that we couldn't keep up. I work in a hospital so there are so many employees that come and go and of course we the last to know when these changes are being made. To answer you question, I want this policy to apply to everyone, except for the users in IT department. Like I said, the policy works, but I can not figure out how to exclude the IT staff from having this policy applied to them.
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 17111061
Just create another OU inside the existing one. Put all your IT objects inside this OU and block inheritance. Just like this:

OU 1: Our Computers
           |
           |
           \
             ------------ Sub OU: IT Staff
0
 

Author Comment

by:dwilson7
ID: 17111108
thanks, i'll try that.
0
 
LVL 3

Expert Comment

by:Newsboy
ID: 17111159
What's your OU stucture like? Are all of the employees in a single OU or are the seperated?

Example 1
OU 1: Doctors
OU 2: Nurses
OU 3: Kitchen Staff
OU 4: IT Staff

Example 2
OU 1: All Users

Example 3
OU 1: All Users
     |
     \
      ------------OU 2: Doctors
     |
     \
      ------------OU 3: Nurses
     |
     \
      ------------OU 4: Kitchen Staff
     |
     \
      ------------OU 5: IT Staff

I know that every organization sets these up differently but how you have it setup makes a huge difference as to how to make this work. Also how are your computer setup, in their own OU's or mixed in with the users.
0
 

Author Comment

by:dwilson7
ID: 17111257
OU - Accting
          -Computers
          -Managers
          -Employees
0
 

Author Comment

by:dwilson7
ID: 17111275
Forgot to mention all the departments are setup like the OU sample from above. Basically, the next deparment would look like:

HR
  -Computers
  -Managers
  -Employees

and so forth.
0
 
LVL 3

Accepted Solution

by:
Newsboy earned 125 total points
ID: 17111379
I still don't think that blocking inheritance will work because you blocking policies that aren't applied to the user anyways, they're applied to the computers. When a user is created they are then placed into the OU for their department, correct? So if that OU had the settings that restricted them from accessing the internet the would automatically be applied. I would create the GPO then link it to the Employees OU for each department. I could be wrong but I think that the only way to do it the way you want is to use the Users option.

Good Luck
0
 

Author Comment

by:dwilson7
ID: 17111916
I'll give that a try.
0
 
LVL 7

Expert Comment

by:nttranbao
ID: 17120272
I see. for the unaffected users, assign the DENY READ to that policy. Or you can add those to a GROUP, and assign the DENY READ to that policy.

I'm pretty sure because I have tried this successfully.

0
 
LVL 7

Expert Comment

by:nttranbao
ID: 17120285
ALSO set the APPLY POLICY to Deny.

Conclusions : set DENY to Both READ POLICY and APPLY POLICY

See references : http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/Filter.htm
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question