Solved

Excluding Domain Controllers from a GPO

Posted on 2009-05-08
7
438 Views
Last Modified: 2012-05-06
Hello I am trying to exclude my domain controllers from a group policy that applies to our entire domain. How can I remove the domain controllers from this GPO?
I am new at GPO management and would greatly appreciate a step by step process to remove these DC's from the policy.

The policy simply maps a network printer to all computers when you login. I noticed that when I log into my secondary DC i get an error saying the script could not run, however it runs fine on our Primary DC and workstations (printer gets mapped). Not sure why only my secondary DC is getting the error msg at logon. I would like to remove it all together from getting the GPO.

Thanks

0
Comment
Question by:FLVS_407
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 3

Expert Comment

by:ISWSIMBX
ID: 24338576
Set the permissions on the GPO to Deny Apply group policy to the Enterprise Domain Controllers group.
0
 
LVL 4

Expert Comment

by:TG_Tech
ID: 24338604
Create a separate Organizational Unit and place your Domain Controllers in new OU.  Exclude the GPO from from in the newly created OU.
0
 
LVL 5

Expert Comment

by:AncientFrib
ID: 24338624
If you just want to affect the one DC then change the permissions of the GPO to deny "Apply Group Policy" to the one DC.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 24338748
What ISWSIMBX is suggesting is using security filtering.  Here are some step by step instructions for that
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Follow up question is your script running as a computer or user based script?  Sounds like computer but just wanted to double check.
 
 
Thanks
Mike
0
 

Author Comment

by:FLVS_407
ID: 24339158
its running as a user script.

Here is what I tried.
In A.D. I created a new group called "GPO disable"
I added my 2ndary domain controller to that group.


then i opened up the group policy that has the script in group policy object editor and right clicked on the domain selected properties and clicked on the security tab.
I then added the new OU I created in AD and selected DENY for the "apply group policy" permission
I then did a gpupdate /force and tried logging into the server in question, still got the script error message..

i have noticed some other servers too are getting the error but not all servers..
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 24339269
You would have to reboot the DC in order to update the group membership/token but since this is a user script excluding the computer doesn't do much for you.
If you added your account and set the deny ACE then you should not get the script/GPO.
Thansk
Mike
0
 

Author Comment

by:FLVS_407
ID: 24339642
Turns out the error was because some of my servers didn't have the print spooler services running so it couldn't contact the network printer. Turned them on and no more errors!
Thanks
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question