Solved

Denying GPO to AD group

Posted on 2009-04-04
8
341 Views
Last Modified: 2012-05-06
Hi

We are running Windows 2003 AD.

I have a GPO that will cause some restrictions on users logging onto computers within a certain OU.

I would like it that anyone in the AD group, Group1, did not have these settings applied.

Is it possible to deny the GPO to this group and how?

Also - say I had a setting that prevented from users from shutting down the server, would this apply to anyone logging onto the server, even those in the Adminstrators (local) group?

Cheers!
0
Comment
Question by:kam_uk
  • 4
  • 3
8 Comments
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 250 total points
ID: 24069516
> Is it possible to deny the GPO to this group and how?

In the Group Policy Management Console, click Advanced in the "this GPO applies to the following blah blah blah" section. Enter the name of the group and Deny the Read and Apply Group Policy permissions.

> Also - say I had a setting that prevented from users from shutting down the server, would this apply to anyone logging onto the server, even those in the Adminstrators (local) group?

User Rights are a User Configuration setting, by default these need to be linked to an OU containing user objects and will apply to those users regardless of which machine they log into.

If you are attempting to configure User Configuration settings on a per-computer basis, so that User Configuration settings will apply to a particular computer regardless of which user logs into it, you must configure Loopback Processing on the GPO in question, as described here: http://technet.microsoft.com/en-us/library/cc757470.aspx
0
 
LVL 3

Author Comment

by:kam_uk
ID: 24069526
Hi Laura,

Thanks for answering, I forgot to mention - yep, we have Lookpack set.

Will the setting apply to any users/groups in the Local Administrators group?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 24069532
By default, Authenticated Users have Read and Apply Group Policy on all Group Policy Objects. As Administrators are a member of Authenticated Users, all GPOs will apply to Administrators unless you modify the permissions on the GPO.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 3

Author Comment

by:kam_uk
ID: 24069545
Hi

Also, just to make sure I am in the right section for #1, is this in

GPO > Delegation > Advanced?

Any check the 'Apply Group Policy' box for the group I want to deny the GPO for?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 24069563
See my previous. Deny both the Read and Apply Group Policy permissions for the group(s) that you want to deny.
0
 
LVL 3

Author Comment

by:kam_uk
ID: 24069684
Thanks very much Laura, looks good now.

Just one final question out of curiosity...

Why deny both READ and APPLY GROUP POLICY? Surely just denying APPLYING GROUP POLICY is enough to prevent the GPO from being applied (I've tested and this seems to be the case)...what is the advantage of setting a Deny on the READ permission?
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 250 total points
ID: 24070240
You deny READ because you do not want the GPO to have any impact to the security group. If you just deny AGP and leave READ Allow, the GPO still processed by the user even though it is not applied to the user. That's why for best practice and to have better performance, it's meaningless not to deny READ if you deny AGP.

0
 
LVL 3

Author Comment

by:kam_uk
ID: 24071231
Thanks all!
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question