Lab_Tech
asked on
How do I prevent domain admins from acquiring enforced group policy settings on a entire domain?
I have an active directory domain that has a Standard Domain Policy which is set to "enforced".
Recently, changes were made to the USER configuration of the policy (Do not permit changing proxy settings) and this seemed to work well, however, domain admins have advised that the policy has also applied to them.
Two things I should point out;
-It's not really necessary for domain admins to have the "Standard Domain Options" apply to them at all.
-The domain policy needs to remain "enforced".
I have toyed with security filtering and cannot seem to get around this.
Any thoughts?
Thanks!
Lab_Tech
Recently, changes were made to the USER configuration of the policy (Do not permit changing proxy settings) and this seemed to work well, however, domain admins have advised that the policy has also applied to them.
Two things I should point out;
-It's not really necessary for domain admins to have the "Standard Domain Options" apply to them at all.
-The domain policy needs to remain "enforced".
I have toyed with security filtering and cannot seem to get around this.
Any thoughts?
Thanks!
Lab_Tech
Apply domain policy to domain users, not everyone
You could create an OU in Active Directory and block inheritance on this OU but link the Domain Policy to the new OU so that it remains enforced.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Many thanks; This is exactly what I needed. The reason it did not work for me when I first played areound with the security filtering is that I had set read as deny without setting Apply group policy. Duh so simple!!!! Many thanks!!