Denying GPO to AD group

Hi

We are running Windows 2003 AD.

I have a GPO that will cause some restrictions on users logging onto computers within a certain OU.

I would like it that anyone in the AD group, Group1, did not have these settings applied.

Is it possible to deny the GPO to this group and how?

Also - say I had a setting that prevented from users from shutting down the server, would this apply to anyone logging onto the server, even those in the Adminstrators (local) group?

Cheers!
LVL 3
kam_ukAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
LauraEHunterMVPConnect With a Mentor Commented:
> Is it possible to deny the GPO to this group and how?

In the Group Policy Management Console, click Advanced in the "this GPO applies to the following blah blah blah" section. Enter the name of the group and Deny the Read and Apply Group Policy permissions.

> Also - say I had a setting that prevented from users from shutting down the server, would this apply to anyone logging onto the server, even those in the Adminstrators (local) group?

User Rights are a User Configuration setting, by default these need to be linked to an OU containing user objects and will apply to those users regardless of which machine they log into.

If you are attempting to configure User Configuration settings on a per-computer basis, so that User Configuration settings will apply to a particular computer regardless of which user logs into it, you must configure Loopback Processing on the GPO in question, as described here: http://technet.microsoft.com/en-us/library/cc757470.aspx
0
 
kam_ukAuthor Commented:
Hi Laura,

Thanks for answering, I forgot to mention - yep, we have Lookpack set.

Will the setting apply to any users/groups in the Local Administrators group?
0
 
LauraEHunterMVPCommented:
By default, Authenticated Users have Read and Apply Group Policy on all Group Policy Objects. As Administrators are a member of Authenticated Users, all GPOs will apply to Administrators unless you modify the permissions on the GPO.
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
kam_ukAuthor Commented:
Hi

Also, just to make sure I am in the right section for #1, is this in

GPO > Delegation > Advanced?

Any check the 'Apply Group Policy' box for the group I want to deny the GPO for?
0
 
LauraEHunterMVPCommented:
See my previous. Deny both the Read and Apply Group Policy permissions for the group(s) that you want to deny.
0
 
kam_ukAuthor Commented:
Thanks very much Laura, looks good now.

Just one final question out of curiosity...

Why deny both READ and APPLY GROUP POLICY? Surely just denying APPLYING GROUP POLICY is enough to prevent the GPO from being applied (I've tested and this seems to be the case)...what is the advantage of setting a Deny on the READ permission?
0
 
AmericomConnect With a Mentor Commented:
You deny READ because you do not want the GPO to have any impact to the security group. If you just deny AGP and leave READ Allow, the GPO still processed by the user even though it is not applied to the user. That's why for best practice and to have better performance, it's meaningless not to deny READ if you deny AGP.

0
 
kam_ukAuthor Commented:
Thanks all!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.