We help IT Professionals succeed at work.

Server logon accounts are mapping drives now that we switched to group policy site policies to map drives.  How do we avoid this?

319 Views
Last Modified: 2010-04-18
I just changed the way users map drives, by running the login script through group policy based on the site the user is in instead of the profile tab in active directory.  This now allows our users to move between offices and map the correct set of drives based on their location.  The downside I have just come accros is, now my service accounts for servers now run the login script and map drives.  Is there any way to avoid this?  What are my other options?
Comment
Watch Question

if you had done it on an OU you could move the accounts to a different OU

Author

Commented:
The problem with doing it by OU is we would have to move the user to a different OU when they go to a different office.
how many clients you got that swap to different locations
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
what I mean by service accounts is really administrative accounts for logoning onto the servers and running some services.  So you would you are saying create a Security Group in AD and make them all members, then under the policy deny the Group just created?
Nod, precisely.
that do it
In the GPMC under the delegation tab, you can add computers or groups to that list.  From there, you can select advanced and deny read/apply access for those systems.

Author

Commented:
Is there anyway to deny the policy by AD container?

So say my Member Servers would run the policy.  Where it is going to get tricky is with the domain controllers.  I cannot deny them..
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Or...what if I created a new AD Site just for servers?  Right now I have sites just setup as different physical locations.  I would not need a site policy on the server site and thus no logon script would run.
Per M$ best practices on AD, you should have two top level containers for Servers.  One for Domain Controllers and one for Member Servers.  Inside the members servers, you could break them down by function (exchange, terminal server, web, etc.).

Depending on how many gpo's you have, be careful about nested groups.  Too many nested groups may cause some policies not to be applied.

Author

Commented:
I tried creating a computers only group and added the computer accounts, then denied them in GPMC, but the scripts still ran.
By default, windows creates an AD container called 'computers'.  Try a different name.  If the gpo is top level to the domain (meaning that the newly created container(s) will inherit the gpo), then go into that gpo's delegation tab, add the computer(s) or group, then click advanced in the bottom corner on the delegation tab and deny apply/read access to that gpo.

Remember that you if you want to test whether it is being applied, you have to run gpupdate /force from the command prompt, or wait 60 minutes for the computers to refresh themselves.

Then you can run gpresult to see what applied.  The gpresult will say under the computer configuration that the policy was denied.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.