Excluding Domain Controllers from a GPO
Hello I am trying to exclude my domain controllers from a group policy that applies to our entire domain. How can I remove the domain controllers from this GPO?
I am new at GPO management and would greatly appreciate a step by step process to remove these DC's from the policy.
The policy simply maps a network printer to all computers when you login. I noticed that when I log into my secondary DC i get an error saying the script could not run, however it runs fine on our Primary DC and workstations (printer gets mapped). Not sure why only my secondary DC is getting the error msg at logon. I would like to remove it all together from getting the GPO.
Thanks
I am new at GPO management and would greatly appreciate a step by step process to remove these DC's from the policy.
The policy simply maps a network printer to all computers when you login. I noticed that when I log into my secondary DC i get an error saying the script could not run, however it runs fine on our Primary DC and workstations (printer gets mapped). Not sure why only my secondary DC is getting the error msg at logon. I would like to remove it all together from getting the GPO.
Thanks
Set the permissions on the GPO to Deny Apply group policy to the Enterprise Domain Controllers group.
Create a separate Organizational Unit and place your Domain Controllers in new OU. Exclude the GPO from from in the newly created OU.
If you just want to affect the one DC then change the permissions of the GPO to deny "Apply Group Policy" to the one DC.
What ISWSIMBX is suggesting is using security filtering. Here are some step by step instructions for that
http://adisfun.blogspot.co
Follow up question is your script running as a computer or user based script? Sounds like computer but just wanted to double check.
Thanks
Mike
http://adisfun.blogspot.co
Follow up question is your script running as a computer or user based script? Sounds like computer but just wanted to double check.
Thanks
Mike
ASKER
its running as a user script.
Here is what I tried.
In A.D. I created a new group called "GPO disable"
I added my 2ndary domain controller to that group.
then i opened up the group policy that has the script in group policy object editor and right clicked on the domain selected properties and clicked on the security tab.
I then added the new OU I created in AD and selected DENY for the "apply group policy" permission
I then did a gpupdate /force and tried logging into the server in question, still got the script error message..
i have noticed some other servers too are getting the error but not all servers..
Here is what I tried.
In A.D. I created a new group called "GPO disable"
I added my 2ndary domain controller to that group.
then i opened up the group policy that has the script in group policy object editor and right clicked on the domain selected properties and clicked on the security tab.
I then added the new OU I created in AD and selected DENY for the "apply group policy" permission
I then did a gpupdate /force and tried logging into the server in question, still got the script error message..
i have noticed some other servers too are getting the error but not all servers..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Turns out the error was because some of my servers didn't have the print spooler services running so it couldn't contact the network printer. Turned them on and no more errors!
Thanks
Thanks