we have 6 domain controllers. on the domain controllers OU there is a default domain controller policy and a policy that we created is applied. in the policy that we created we have changed the permissions to the windows\tasks folder to read only for everyone. this was to counter the conflicker virus as recommdnded my microsoft. now on one of the domain controlers we want to be able to create tasks. so i added one dc for example dc2 to the security tab of the group policy that we created and denied permissions to read and apply group policy. the GPresults displays the policy is not applying.
the changes done by the policy are still retained. so as i understand the only way to grant read/write permissions to users is by applying another policy and enable it. i created another policy in which i have added the file in the computer settings/windows settings/file permissions. added windows/tasks and gave permissions. now when i link the policy to the domain controllers ou. i want to refresh this server manually and then unlink the policy so that other dc's are not affected. i did this and gpresult says the policy is not applied. it says it is filtered.
how do i get this one dc have read/write permissions on the tasksfolder.
can i do this, for example, create an OU. liink the policy which rolls back the changes to the new OU. move dc to this OU. update the policy then move it back to the original OU.