dwilson7
asked on
How to exclude a user or group from a Computer Configuration Group Policy
I am in the middle of testing an IP Security Policy under the Computer Configuration Group Policy that restricts internet access but allow Intranet access. The policy works great, but I am stuck trying to figure out how to exclude the IT department group or even users from being restricted from browsing the internet. Obviously if someone in IT must troubleshoot the PC, I do not want them to be restricted from the internet. Please advise.
First, download and install Group Policy Management Console:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en
It will make your group policy administration easy. You can install it on any Windows XP or Windows 2003, even if your domain controllers are 2000.
Well, to avoid GP inheritance, just go to the IT Organizational Unit (if you dont have your IT partners apart in your own OU, the time has come to do that), right click it and choose "Block inheritance" and your are done.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en
It will make your group policy administration easy. You can install it on any Windows XP or Windows 2003, even if your domain controllers are 2000.
Well, to avoid GP inheritance, just go to the IT Organizational Unit (if you dont have your IT partners apart in your own OU, the time has come to do that), right click it and choose "Block inheritance" and your are done.
First....Get GPMC (Group Policy Management Console) from Microsoft.com
Makes using group policy objects alot easier.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en
The above can be installed on Windows XP pro as well.
Using GPMC.....
Select your group policy object in the tree view. (default domain policy)
In the "Security Filtering" pane it shows the list of users/groups that have permissions to the see and apply this GPO object. This should say "authenticated users"....meaning everyone who logs on. Now on the "delegation" tab, you will see an "advanced" button on the bottom right. Click it. Now add the group you want to exclude from this GPO.....for instance "Accounting Users", and select DENY "apply group policy".
Deny permissions always take precedent over allow, therefore any member of that group would be able to read the GPO, but not apply it to their machines.
Simple.
The other way would be to use organizational units within AD and apply only GPO's per OU as needed. The above is the Microsoft "perfect world" recommendation.
good luck.
Makes using group policy objects alot easier.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en
The above can be installed on Windows XP pro as well.
Using GPMC.....
Select your group policy object in the tree view. (default domain policy)
In the "Security Filtering" pane it shows the list of users/groups that have permissions to the see and apply this GPO object. This should say "authenticated users"....meaning everyone who logs on. Now on the "delegation" tab, you will see an "advanced" button on the bottom right. Click it. Now add the group you want to exclude from this GPO.....for instance "Accounting Users", and select DENY "apply group policy".
Deny permissions always take precedent over allow, therefore any member of that group would be able to read the GPO, but not apply it to their machines.
Simple.
The other way would be to use organizational units within AD and apply only GPO's per OU as needed. The above is the Microsoft "perfect world" recommendation.
good luck.
ASKER
Thanks for all the comments, I guess I need to make myself my clearer. I do have the GPMC loaded and working in a Windows 2003 domain. This policy will apply to only one OU that has about 50 PC's, therefore blocking inheritance won't do me any good, I think. I've tried the Deny" Applying Group Policy" in the security tab as well. Any other suggestions?
So let me get this straight, you're applying a GP to your computers but you want it to apply only to certain Users. I could be wrong but I don't think that'll work. Computer policies are applied when the computer boots up, then the user policies are applied when the user logs in. This means that the computer policy is already applied and won't change do to someone that logs in. Can you do what you need to do with the user policies so it's already dependent on who logs in?
ASKER
I've tried user poicies but the issue is that user's bounce around between departments so much that we couldn't keep up. I work in a hospital so there are so many employees that come and go and of course we the last to know when these changes are being made. To answer you question, I want this policy to apply to everyone, except for the users in IT department. Like I said, the policy works, but I can not figure out how to exclude the IT staff from having this policy applied to them.
Just create another OU inside the existing one. Put all your IT objects inside this OU and block inheritance. Just like this:
OU 1: Our Computers
|
|
\
------------ Sub OU: IT Staff
OU 1: Our Computers
|
|
\
------------ Sub OU: IT Staff
ASKER
thanks, i'll try that.
What's your OU stucture like? Are all of the employees in a single OU or are the seperated?
Example 1
OU 1: Doctors
OU 2: Nurses
OU 3: Kitchen Staff
OU 4: IT Staff
Example 2
OU 1: All Users
Example 3
OU 1: All Users
|
\
------------OU 2: Doctors
|
\
------------OU 3: Nurses
|
\
------------OU 4: Kitchen Staff
|
\
------------OU 5: IT Staff
I know that every organization sets these up differently but how you have it setup makes a huge difference as to how to make this work. Also how are your computer setup, in their own OU's or mixed in with the users.
Example 1
OU 1: Doctors
OU 2: Nurses
OU 3: Kitchen Staff
OU 4: IT Staff
Example 2
OU 1: All Users
Example 3
OU 1: All Users
|
\
------------OU 2: Doctors
|
\
------------OU 3: Nurses
|
\
------------OU 4: Kitchen Staff
|
\
------------OU 5: IT Staff
I know that every organization sets these up differently but how you have it setup makes a huge difference as to how to make this work. Also how are your computer setup, in their own OU's or mixed in with the users.
ASKER
OU - Accting
-Computers
-Managers
-Employees
-Computers
-Managers
-Employees
ASKER
Forgot to mention all the departments are setup like the OU sample from above. Basically, the next deparment would look like:
HR
-Computers
-Managers
-Employees
and so forth.
HR
-Computers
-Managers
-Employees
and so forth.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll give that a try.
I see. for the unaffected users, assign the DENY READ to that policy. Or you can add those to a GROUP, and assign the DENY READ to that policy.
I'm pretty sure because I have tried this successfully.
I'm pretty sure because I have tried this successfully.
ALSO set the APPLY POLICY to Deny.
Conclusions : set DENY to Both READ POLICY and APPLY POLICY
See references : http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/Filter.htm
Conclusions : set DENY to Both READ POLICY and APPLY POLICY
See references : http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/Filter.htm
https://www.experts-exchange.com/questions/21576429/Exclude-a-user-or-Group-from-having-a-policy-applied-to-Non-Domain-Non-Active-Directory.html
Reps