[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Apply GPO to some users but not others

Posted on 2008-01-31
15
Medium Priority
?
277 Views
Last Modified: 2010-03-17
We have some organizational directors and a few other users that I want to allow to select their own IE homepage, but for all other users I want to set it to our intranet homepage. I can do one or the other without a problem but want to do both. We have OUs set up for the different parts of the organizations and the directors need to stay with their units so moving all the relevant people to the same OU is not an option (at least without going thru my boss with an explanation and OK). I have created a 'no homepage' group and added the directors to it and created a policy called 'no homepage' but it basically empty (since I do not want to set the homepage with it) and it gets ignored by the GPO and the homepage settings from the 'users policy' are applied to the directors along with everyone else.  How do I do this?
0
Comment
Question by:LarryDAH
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 1

Expert Comment

by:rudack
ID: 20790436
Easy way is just put another OU in each Directory and put the user in its own OU and make sure the GP is not inheriting.  Apply your new policy and your good to go.

Example
MYORG
Sub- Management - Sub- Homepage Group
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 20790537
I have never tested this, but I have it on good authority that it works -

Create a Security Group containing all the users you're referring to.

Using the Group Policy Management Console, navigate to the Group Policy Objects.

Select the Group policy that you want to exclude the users from, and go into the 'Delegation' Tab. Then click on the advanced button, and add the group you created containing the users you want to exclude from that GPO.

Once added, you can 'DENY' that group the 'Apply Group Policy' and 'Read' permissions for that GPO.

This should stop that GPO from apply... I'll be interested to see it proven! Let me know if it helps...
0
 
LVL 9

Expert Comment

by:Frank McCourry
ID: 20790637
Using Active Directory Console:
Create a new organizational unit (OU) for the users you want excluded.  Make sure this OU is at the same level or within a different root level of Active Directory.  Move your users from their existing OU and then apply only the policies they need to the new OU.

If your users are in the default conatiners, and your policies are applied at the domain level, you will need to create 2 OU's and then move the policies from the domain level and apply them to the proper containers:

DOMAIN
   |--Users  < Once you move the policies, users here will only be affected by the Domain Policy
   |--NEW OU 1  <Apply existing policies from the doamin level here
   |--New OU 2  <Apply the new policies for the group you want excluded here
          |--- an OU her would be affected by all Policies above it except NEW OU 1

It's a heiarchy.  Just remember that higer level policies only effect OU's under it.  Lower OU's are only affected by policies directly in it's branch of the tree.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 19

Expert Comment

by:PeteJThomas
ID: 20790726
Correct me if i'm wrong, but I believe in the original post he said that moving them all to different OUs is not an option?
0
 
LVL 9

Expert Comment

by:Frank McCourry
ID: 20790862
I stand corrected...  Guess I should have read that more carefully.  

However, creating a nested OU under the same OU that the users are already in, and then changing the higher level policy to allow the users to set their own web page, then adding a policy to the new, lower level OU to restrict the homepage, would accomplish the same thing.  All the while making policies that are easier to manage and troubleshoot.
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 20790931
I like the idea! I wouldn't have thought of that... Still, I'd like to find out if my method actually works! I can't test it at my new job, AD is looked after by a 3rd party and we don't have the necessary perms to play with GPOs... :(
0
 
LVL 9

Expert Comment

by:Frank McCourry
ID: 20791027
@ Pete -
I believe it would work, there is no reason I can think of why it wouldn't.  It would just be difficult to troubleshoot later, when everyone has forgotten about this thread.

I would also think that this method would cause 1030 and 1058 errors in the system event log, since the GPO's could not be applied because of denied access.  
0
 

Author Comment

by:LarryDAH
ID: 20791366
PeteJThomas, looking at your suggestion I think it would work but I need two nearly identical policies if I read the logic correctly. Both are the same except one would not set a homepage and the other would. I then create a group that has my directors in it. I would deny that group access to the policy that sets the homepage along with other settings but allow them access to the policy that sets everyyhing but the homepage. I would enable both and which one that has precedence does not matter. Yes, no, maybe?
0
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 500 total points
ID: 20791445
If I understand you correctly, then whichever has precedence would make no difference in this particular scenario.

Denying them 'Apply Group Policy' perms to a specific GPO will quite simply stop that single GPO from applying in it's entirety. You don't need to 'allow' them access to the other policy, as if they're in the OU that the policy applies to, it will apply anyway.

You would just need to DENY them access to the one that sets the homepage, and job done.

If it's the sole purpose of this policy to set the homepage, and it's set at the domain level, denying that security group access would have the desired effect.

However it sounds like your policy has other functions besides setting the homepage, that you DO want to apply to that group... I don't want to confuse things, but it might be easier to have a lone GPO that sets the homepage, and just exclude them from it. Then any other GPOs (i.e. the ones including the settings you do want the directors to have) would apply as normal.

Given all that, as Frank pointed out, it may be a little difficult to troubleshoot in the future (especially if you left the company and nobody knew how you'd done it!) So it's up to you which route you take! :)

Sorry if i've rattled on too much... It's near my bed time... :)

0
 

Author Comment

by:LarryDAH
ID: 20791452
PeterJthomas, Well, I just thought about that a little more and I think I have it backwards. I will remove the homepage setting from my primary user policy and apply it to everyone as usual. I will create a homepage policy that does set the homepage and apply it to everyone but under Custom deny it to the directors group. How does that sound?
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 20791462
lol - I think you just summed up my entire explanation in a few lines... Yes, I think that was the point I was making in my most recent post... lol
0
 

Author Comment

by:LarryDAH
ID: 20791856
Looks like we were thinking the same thing at the same time. I tested this setup and it works. Thanks.
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 20791891
Excellent! I'm glad it worked for you, and just as glad that I now know for Certain that it works!! :) But keep this post in mind, as if my method proves problematic in the future, you may need to reference the solutions from the others...
0
 
LVL 9

Expert Comment

by:Frank McCourry
ID: 20795964
@ LarryDAH

I'm interested if this solution is generating any errors in your error log.  Simply out of curiosity, if this is working without errors, I would like to note this post for future use.
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 20796148
Me too... But the point you made makes sense, so I'd be pleasantly surprised if there were no errors in the logs... If the logs log unsuccessful logon attempts etc, they're bound to log unsuccessful GPO attempts! (Or so common sense would dictate, no?)
0

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question