Apply GPO to some users but not others

We have some organizational directors and a few other users that I want to allow to select their own IE homepage, but for all other users I want to set it to our intranet homepage. I can do one or the other without a problem but want to do both. We have OUs set up for the different parts of the organizations and the directors need to stay with their units so moving all the relevant people to the same OU is not an option (at least without going thru my boss with an explanation and OK). I have created a 'no homepage' group and added the directors to it and created a policy called 'no homepage' but it basically empty (since I do not want to set the homepage with it) and it gets ignored by the GPO and the homepage settings from the 'users policy' are applied to the directors along with everyone else.  How do I do this?
LarryDAHAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rudackCommented:
Easy way is just put another OU in each Directory and put the user in its own OU and make sure the GP is not inheriting.  Apply your new policy and your good to go.

Example
MYORG
Sub- Management - Sub- Homepage Group
0
PeteJThomasCommented:
I have never tested this, but I have it on good authority that it works -

Create a Security Group containing all the users you're referring to.

Using the Group Policy Management Console, navigate to the Group Policy Objects.

Select the Group policy that you want to exclude the users from, and go into the 'Delegation' Tab. Then click on the advanced button, and add the group you created containing the users you want to exclude from that GPO.

Once added, you can 'DENY' that group the 'Apply Group Policy' and 'Read' permissions for that GPO.

This should stop that GPO from apply... I'll be interested to see it proven! Let me know if it helps...
0
Frank McCourryV.P. Holland Computers, Inc.Commented:
Using Active Directory Console:
Create a new organizational unit (OU) for the users you want excluded.  Make sure this OU is at the same level or within a different root level of Active Directory.  Move your users from their existing OU and then apply only the policies they need to the new OU.

If your users are in the default conatiners, and your policies are applied at the domain level, you will need to create 2 OU's and then move the policies from the domain level and apply them to the proper containers:

DOMAIN
   |--Users  < Once you move the policies, users here will only be affected by the Domain Policy
   |--NEW OU 1  <Apply existing policies from the doamin level here
   |--New OU 2  <Apply the new policies for the group you want excluded here
          |--- an OU her would be affected by all Policies above it except NEW OU 1

It's a heiarchy.  Just remember that higer level policies only effect OU's under it.  Lower OU's are only affected by policies directly in it's branch of the tree.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

PeteJThomasCommented:
Correct me if i'm wrong, but I believe in the original post he said that moving them all to different OUs is not an option?
0
Frank McCourryV.P. Holland Computers, Inc.Commented:
I stand corrected...  Guess I should have read that more carefully.  

However, creating a nested OU under the same OU that the users are already in, and then changing the higher level policy to allow the users to set their own web page, then adding a policy to the new, lower level OU to restrict the homepage, would accomplish the same thing.  All the while making policies that are easier to manage and troubleshoot.
0
PeteJThomasCommented:
I like the idea! I wouldn't have thought of that... Still, I'd like to find out if my method actually works! I can't test it at my new job, AD is looked after by a 3rd party and we don't have the necessary perms to play with GPOs... :(
0
Frank McCourryV.P. Holland Computers, Inc.Commented:
@ Pete -
I believe it would work, there is no reason I can think of why it wouldn't.  It would just be difficult to troubleshoot later, when everyone has forgotten about this thread.

I would also think that this method would cause 1030 and 1058 errors in the system event log, since the GPO's could not be applied because of denied access.  
0
LarryDAHAuthor Commented:
PeteJThomas, looking at your suggestion I think it would work but I need two nearly identical policies if I read the logic correctly. Both are the same except one would not set a homepage and the other would. I then create a group that has my directors in it. I would deny that group access to the policy that sets the homepage along with other settings but allow them access to the policy that sets everyyhing but the homepage. I would enable both and which one that has precedence does not matter. Yes, no, maybe?
0
PeteJThomasCommented:
If I understand you correctly, then whichever has precedence would make no difference in this particular scenario.

Denying them 'Apply Group Policy' perms to a specific GPO will quite simply stop that single GPO from applying in it's entirety. You don't need to 'allow' them access to the other policy, as if they're in the OU that the policy applies to, it will apply anyway.

You would just need to DENY them access to the one that sets the homepage, and job done.

If it's the sole purpose of this policy to set the homepage, and it's set at the domain level, denying that security group access would have the desired effect.

However it sounds like your policy has other functions besides setting the homepage, that you DO want to apply to that group... I don't want to confuse things, but it might be easier to have a lone GPO that sets the homepage, and just exclude them from it. Then any other GPOs (i.e. the ones including the settings you do want the directors to have) would apply as normal.

Given all that, as Frank pointed out, it may be a little difficult to troubleshoot in the future (especially if you left the company and nobody knew how you'd done it!) So it's up to you which route you take! :)

Sorry if i've rattled on too much... It's near my bed time... :)

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LarryDAHAuthor Commented:
PeterJthomas, Well, I just thought about that a little more and I think I have it backwards. I will remove the homepage setting from my primary user policy and apply it to everyone as usual. I will create a homepage policy that does set the homepage and apply it to everyone but under Custom deny it to the directors group. How does that sound?
0
PeteJThomasCommented:
lol - I think you just summed up my entire explanation in a few lines... Yes, I think that was the point I was making in my most recent post... lol
0
LarryDAHAuthor Commented:
Looks like we were thinking the same thing at the same time. I tested this setup and it works. Thanks.
0
PeteJThomasCommented:
Excellent! I'm glad it worked for you, and just as glad that I now know for Certain that it works!! :) But keep this post in mind, as if my method proves problematic in the future, you may need to reference the solutions from the others...
0
Frank McCourryV.P. Holland Computers, Inc.Commented:
@ LarryDAH

I'm interested if this solution is generating any errors in your error log.  Simply out of curiosity, if this is working without errors, I would like to note this post for future use.
0
PeteJThomasCommented:
Me too... But the point you made makes sense, so I'd be pleasantly surprised if there were no errors in the logs... If the logs log unsuccessful logon attempts etc, they're bound to log unsuccessful GPO attempts! (Or so common sense would dictate, no?)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.