Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to exclude a user or group from a Computer Configuration Group Policy

Posted on 2006-07-14
15
Medium Priority
?
552 Views
Last Modified: 2011-09-20
I am in the middle of testing an IP Security Policy under the Computer Configuration Group Policy that restricts internet access but allow Intranet access. The policy works great, but I am stuck trying to figure out how to exclude the IT department group or even users from being restricted from browsing the internet. Obviously if someone in IT must troubleshoot the PC, I do not want them to be restricted from the internet. Please advise.
0
Comment
Question by:dwilson7
  • 6
  • 3
  • 2
  • +3
15 Comments
 
LVL 30

Expert Comment

by:ded9
ID: 17107824
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustici
ID: 17107833
First, download and install Group Policy Management Console:

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

It will make your group policy administration easy. You can install it on any Windows XP or Windows 2003, even if your domain controllers are 2000.

Well, to avoid GP inheritance, just go to the IT Organizational Unit (if you dont have your IT partners apart in your own OU, the time has come to do that), right click it and choose "Block inheritance" and your are done.
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 17107884
First....Get GPMC (Group Policy Management Console) from Microsoft.com

Makes using group policy objects alot easier.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

The above can be installed on Windows XP pro as well.

Using GPMC.....
Select your group policy object in the tree view. (default domain policy)
In the "Security Filtering" pane it shows the list of users/groups that have permissions to the see and apply this GPO object.  This should say "authenticated users"....meaning everyone who logs on.  Now on the "delegation" tab, you will see an "advanced" button on the bottom right.  Click it.  Now add the group you want to exclude from this GPO.....for instance "Accounting Users", and select DENY "apply group policy".

Deny permissions always take precedent over allow, therefore any member of that group would be able to read the GPO, but not apply it to their machines.

Simple.

The other way would be to use organizational units within AD and apply only GPO's per OU as needed.  The above is the Microsoft "perfect world" recommendation.


good luck.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:dwilson7
ID: 17108265
Thanks for all the comments, I guess I need to make myself my clearer. I do have the GPMC loaded and working in a Windows 2003 domain. This policy will apply to only one OU that has about 50 PC's, therefore blocking inheritance won't do me any good, I think. I've tried the Deny" Applying Group Policy" in the security tab as well. Any other suggestions?
0
 
LVL 3

Expert Comment

by:Newsboy
ID: 17110167
So let me get this straight, you're applying a GP to your computers but you want it to apply only to certain Users. I could be wrong but I don't think that'll work. Computer policies are applied when the computer boots up, then the user policies are applied when the user logs in. This means that the computer policy is already applied and won't change do to someone that logs in. Can you do what you need to do with the user policies so it's already dependent on who logs in?
0
 

Author Comment

by:dwilson7
ID: 17110542
I've tried user poicies but the issue is that user's bounce around between departments so much that we couldn't keep up. I work in a hospital so there are so many employees that come and go and of course we the last to know when these changes are being made. To answer you question, I want this policy to apply to everyone, except for the users in IT department. Like I said, the policy works, but I can not figure out how to exclude the IT staff from having this policy applied to them.
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustici
ID: 17111061
Just create another OU inside the existing one. Put all your IT objects inside this OU and block inheritance. Just like this:

OU 1: Our Computers
           |
           |
           \
             ------------ Sub OU: IT Staff
0
 

Author Comment

by:dwilson7
ID: 17111108
thanks, i'll try that.
0
 
LVL 3

Expert Comment

by:Newsboy
ID: 17111159
What's your OU stucture like? Are all of the employees in a single OU or are the seperated?

Example 1
OU 1: Doctors
OU 2: Nurses
OU 3: Kitchen Staff
OU 4: IT Staff

Example 2
OU 1: All Users

Example 3
OU 1: All Users
     |
     \
      ------------OU 2: Doctors
     |
     \
      ------------OU 3: Nurses
     |
     \
      ------------OU 4: Kitchen Staff
     |
     \
      ------------OU 5: IT Staff

I know that every organization sets these up differently but how you have it setup makes a huge difference as to how to make this work. Also how are your computer setup, in their own OU's or mixed in with the users.
0
 

Author Comment

by:dwilson7
ID: 17111257
OU - Accting
          -Computers
          -Managers
          -Employees
0
 

Author Comment

by:dwilson7
ID: 17111275
Forgot to mention all the departments are setup like the OU sample from above. Basically, the next deparment would look like:

HR
  -Computers
  -Managers
  -Employees

and so forth.
0
 
LVL 3

Accepted Solution

by:
Newsboy earned 500 total points
ID: 17111379
I still don't think that blocking inheritance will work because you blocking policies that aren't applied to the user anyways, they're applied to the computers. When a user is created they are then placed into the OU for their department, correct? So if that OU had the settings that restricted them from accessing the internet the would automatically be applied. I would create the GPO then link it to the Employees OU for each department. I could be wrong but I think that the only way to do it the way you want is to use the Users option.

Good Luck
0
 

Author Comment

by:dwilson7
ID: 17111916
I'll give that a try.
0
 
LVL 7

Expert Comment

by:nttranbao
ID: 17120272
I see. for the unaffected users, assign the DENY READ to that policy. Or you can add those to a GROUP, and assign the DENY READ to that policy.

I'm pretty sure because I have tried this successfully.

0
 
LVL 7

Expert Comment

by:nttranbao
ID: 17120285
ALSO set the APPLY POLICY to Deny.

Conclusions : set DENY to Both READ POLICY and APPLY POLICY

See references : http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/Filter.htm
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question