Solved

Denying GPO to AD group

Posted on 2009-04-04
8
337 Views
Last Modified: 2012-05-06
Hi

We are running Windows 2003 AD.

I have a GPO that will cause some restrictions on users logging onto computers within a certain OU.

I would like it that anyone in the AD group, Group1, did not have these settings applied.

Is it possible to deny the GPO to this group and how?

Also - say I had a setting that prevented from users from shutting down the server, would this apply to anyone logging onto the server, even those in the Adminstrators (local) group?

Cheers!
0
Comment
Question by:kam_uk
  • 4
  • 3
8 Comments
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 250 total points
Comment Utility
> Is it possible to deny the GPO to this group and how?

In the Group Policy Management Console, click Advanced in the "this GPO applies to the following blah blah blah" section. Enter the name of the group and Deny the Read and Apply Group Policy permissions.

> Also - say I had a setting that prevented from users from shutting down the server, would this apply to anyone logging onto the server, even those in the Adminstrators (local) group?

User Rights are a User Configuration setting, by default these need to be linked to an OU containing user objects and will apply to those users regardless of which machine they log into.

If you are attempting to configure User Configuration settings on a per-computer basis, so that User Configuration settings will apply to a particular computer regardless of which user logs into it, you must configure Loopback Processing on the GPO in question, as described here: http://technet.microsoft.com/en-us/library/cc757470.aspx
0
 
LVL 3

Author Comment

by:kam_uk
Comment Utility
Hi Laura,

Thanks for answering, I forgot to mention - yep, we have Lookpack set.

Will the setting apply to any users/groups in the Local Administrators group?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
By default, Authenticated Users have Read and Apply Group Policy on all Group Policy Objects. As Administrators are a member of Authenticated Users, all GPOs will apply to Administrators unless you modify the permissions on the GPO.
0
 
LVL 3

Author Comment

by:kam_uk
Comment Utility
Hi

Also, just to make sure I am in the right section for #1, is this in

GPO > Delegation > Advanced?

Any check the 'Apply Group Policy' box for the group I want to deny the GPO for?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
See my previous. Deny both the Read and Apply Group Policy permissions for the group(s) that you want to deny.
0
 
LVL 3

Author Comment

by:kam_uk
Comment Utility
Thanks very much Laura, looks good now.

Just one final question out of curiosity...

Why deny both READ and APPLY GROUP POLICY? Surely just denying APPLYING GROUP POLICY is enough to prevent the GPO from being applied (I've tested and this seems to be the case)...what is the advantage of setting a Deny on the READ permission?
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 250 total points
Comment Utility
You deny READ because you do not want the GPO to have any impact to the security group. If you just deny AGP and leave READ Allow, the GPO still processed by the user even though it is not applied to the user. That's why for best practice and to have better performance, it's meaningless not to deny READ if you deny AGP.

0
 
LVL 3

Author Comment

by:kam_uk
Comment Utility
Thanks all!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now