Solved

How do I prevent domain admins from acquiring enforced group policy settings on a entire domain?

Posted on 2009-07-03
4
280 Views
Last Modified: 2012-05-07
I have an active directory domain that has a Standard Domain Policy which is set to "enforced".
Recently, changes were made to the USER configuration of the policy (Do not permit changing proxy settings) and this seemed to work well, however, domain admins have advised that the policy has also applied to them.
Two things I should point out;
-It's not really necessary for domain admins to have the "Standard Domain Options" apply to them at all.
-The domain policy needs to remain "enforced".
I have toyed with security filtering and cannot seem to get around this.
Any thoughts?
Thanks!
Lab_Tech
0
Comment
Question by:Lab_Tech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 12

Expert Comment

by:marcustech
ID: 24772742
Apply domain policy to domain users, not everyone
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24772779
You could create an OU in Active Directory and block inheritance on this OU but link the Domain Policy to the new OU so that it remains enforced.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 24772913
Since the policy is set to enforced it will win over block inheritance.  What happened when you tried the security filtering route
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
I'm guessing your users are spread across multiple OUs and that is why the policy is linked at the domain level.
Thanks
Mike
0
 

Author Closing Comment

by:Lab_Tech
ID: 31599575
Many thanks; This is exactly what I needed. The reason it did not work for me when I first played areound with the security filtering is that I had set read as deny without setting Apply group policy. Duh so simple!!!! Many thanks!!
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question