[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Denying GPO to AD group

Posted on 2009-04-04
8
Medium Priority
?
349 Views
Last Modified: 2012-05-06
Hi

We are running Windows 2003 AD.

I have a GPO that will cause some restrictions on users logging onto computers within a certain OU.

I would like it that anyone in the AD group, Group1, did not have these settings applied.

Is it possible to deny the GPO to this group and how?

Also - say I had a setting that prevented from users from shutting down the server, would this apply to anyone logging onto the server, even those in the Adminstrators (local) group?

Cheers!
0
Comment
Question by:kam_uk
  • 4
  • 3
8 Comments
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 1000 total points
ID: 24069516
> Is it possible to deny the GPO to this group and how?

In the Group Policy Management Console, click Advanced in the "this GPO applies to the following blah blah blah" section. Enter the name of the group and Deny the Read and Apply Group Policy permissions.

> Also - say I had a setting that prevented from users from shutting down the server, would this apply to anyone logging onto the server, even those in the Adminstrators (local) group?

User Rights are a User Configuration setting, by default these need to be linked to an OU containing user objects and will apply to those users regardless of which machine they log into.

If you are attempting to configure User Configuration settings on a per-computer basis, so that User Configuration settings will apply to a particular computer regardless of which user logs into it, you must configure Loopback Processing on the GPO in question, as described here: http://technet.microsoft.com/en-us/library/cc757470.aspx
0
 
LVL 3

Author Comment

by:kam_uk
ID: 24069526
Hi Laura,

Thanks for answering, I forgot to mention - yep, we have Lookpack set.

Will the setting apply to any users/groups in the Local Administrators group?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 24069532
By default, Authenticated Users have Read and Apply Group Policy on all Group Policy Objects. As Administrators are a member of Authenticated Users, all GPOs will apply to Administrators unless you modify the permissions on the GPO.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
LVL 3

Author Comment

by:kam_uk
ID: 24069545
Hi

Also, just to make sure I am in the right section for #1, is this in

GPO > Delegation > Advanced?

Any check the 'Apply Group Policy' box for the group I want to deny the GPO for?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 24069563
See my previous. Deny both the Read and Apply Group Policy permissions for the group(s) that you want to deny.
0
 
LVL 3

Author Comment

by:kam_uk
ID: 24069684
Thanks very much Laura, looks good now.

Just one final question out of curiosity...

Why deny both READ and APPLY GROUP POLICY? Surely just denying APPLYING GROUP POLICY is enough to prevent the GPO from being applied (I've tested and this seems to be the case)...what is the advantage of setting a Deny on the READ permission?
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 1000 total points
ID: 24070240
You deny READ because you do not want the GPO to have any impact to the security group. If you just deny AGP and leave READ Allow, the GPO still processed by the user even though it is not applied to the user. That's why for best practice and to have better performance, it's meaningless not to deny READ if you deny AGP.

0
 
LVL 3

Author Comment

by:kam_uk
ID: 24071231
Thanks all!
0

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question