Solved

How to exclude AD object computer from GPO, DC Windows 2003 server standard edit

Posted on 2009-04-09
3
783 Views
Last Modified: 2012-05-06
I want to exlude AD object computer from a new created GPO. I have created OU "Policy Exceptions" and moved selected computer there, but I do know how to exclude that OU from the policy. I know that I can do it using WMI filter, not sure about the syntax.
0
Comment
Question by:itconsultant1
3 Comments
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 200 total points
ID: 24109950

A Group Policy will apply to the container ('parent' container) where it is joined, and all the child containers of that container. For example, if you link a GPO to the root of the domain, it will apply to all appropriate objects in the domain.

To exempt a particular OU from one particular policy, you will need to shuffle your OU structure and link the GPO to an OU lower down the structure, where it will not be inherited by the Policy Exceptions OU.

If you simply want the Policy Exceptions OU to be exempt from all GPOs defined in the parent containers, open Group Policy Management and block inheritance on that OU. This will mean only policies linked explicitly to the Policy Exceptions OU will be applied to objects within that OU.

-Matt
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 300 total points
ID: 24110001
What you could also do is make all those computers a member of a group.  Call it "Deny Policy" for example.
Then you can use security filtering on the GPO to deny read & apply group policy to that group.  
The GPO will then not apply to that group
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24307352.html?cid=236#a24101553
In that example I showed security filtering for an individual user but the same concept applies for the group
Thanks
Mike
 
0
 

Author Comment

by:itconsultant1
ID: 24110520
Thank you for the fast answer! It worked :)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Migrate 2003 domain controllers to 2012 18 84
SSL certificate is expired on Windows 2012 server and How to generate a CSR 2 34
ACTIVE DIRECTORY 18 49
Admin account lockout 10 39
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question