Improve company productivity with a Business Account.Sign Up

x
?
Solved

How do I prevent domain admins from acquiring enforced group policy settings on a entire domain?

Posted on 2009-07-03
4
Medium Priority
?
294 Views
Last Modified: 2012-05-07
I have an active directory domain that has a Standard Domain Policy which is set to "enforced".
Recently, changes were made to the USER configuration of the policy (Do not permit changing proxy settings) and this seemed to work well, however, domain admins have advised that the policy has also applied to them.
Two things I should point out;
-It's not really necessary for domain admins to have the "Standard Domain Options" apply to them at all.
-The domain policy needs to remain "enforced".
I have toyed with security filtering and cannot seem to get around this.
Any thoughts?
Thanks!
Lab_Tech
0
Comment
Question by:Lab_Tech
4 Comments
 
LVL 12

Expert Comment

by:marcustech
ID: 24772742
Apply domain policy to domain users, not everyone
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24772779
You could create an OU in Active Directory and block inheritance on this OU but link the Domain Policy to the new OU so that it remains enforced.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1000 total points
ID: 24772913
Since the policy is set to enforced it will win over block inheritance.  What happened when you tried the security filtering route
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
I'm guessing your users are spread across multiple OUs and that is why the policy is linked at the domain level.
Thanks
Mike
0
 

Author Closing Comment

by:Lab_Tech
ID: 31599575
Many thanks; This is exactly what I needed. The reason it did not work for me when I first played areound with the security filtering is that I had set read as deny without setting Apply group policy. Duh so simple!!!! Many thanks!!
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question