Link to home
Start Free TrialLog in
Avatar of Lab_Tech
Lab_TechFlag for Canada

asked on

How do I prevent domain admins from acquiring enforced group policy settings on a entire domain?

I have an active directory domain that has a Standard Domain Policy which is set to "enforced".
Recently, changes were made to the USER configuration of the policy (Do not permit changing proxy settings) and this seemed to work well, however, domain admins have advised that the policy has also applied to them.
Two things I should point out;
-It's not really necessary for domain admins to have the "Standard Domain Options" apply to them at all.
-The domain policy needs to remain "enforced".
I have toyed with security filtering and cannot seem to get around this.
Any thoughts?
Thanks!
Lab_Tech
Avatar of Member_2_4984608
Member_2_4984608

Apply domain policy to domain users, not everyone
Avatar of Glen Knight
You could create an OU in Active Directory and block inheritance on this OU but link the Domain Policy to the new OU so that it remains enforced.
ASKER CERTIFIED SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Lab_Tech

ASKER

Many thanks; This is exactly what I needed. The reason it did not work for me when I first played areound with the security filtering is that I had set read as deny without setting Apply group policy. Duh so simple!!!! Many thanks!!