[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

GPO Exception on servers

Posted on 2010-09-08
3
Medium Priority
?
543 Views
Last Modified: 2012-05-10
I've configured a printer GPO for our user's container in Active Directory.  I'm using group filtering on the GPO so that I can apply it to the entire user's container, but only those in the group receive the policy.  A select number of these users do have management responsibilities on some servers.  is there a way to filter out the user based policy so that it does not run on the Servers.  The servers and users are in separate OU's and must remain that way.  Would a WMI filter work for this?  If so, what might it look like?
0
Comment
Question by:patriots
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33627411
What I'd do is create those users a second account.  That would be their management account with their elevated rights.  Then put them in an OU that doesn't get the policy.   It is generally best practice for users that have admin/elevated rights to have two accounts.   Log in day to day with the "normal" account and only use the elevated account when they need it to run their tasks.
 
Thanks
 
Mike
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 2000 total points
ID: 33627493
I think a WMI filter will work for what you are trying to do. . WMI filters will only appply the GPO if they evaulate to true. I would suggest creating a filter to test for the operating system caption. Basically what you will want to is use something like below. This will test for XP and windows 7 operating system.

SELECT Version FROM Win32_OperatingSystem WHERE Caption LIKE "Microsoft Windows XP%" OR Caption LIKE "Microsoft Windows 7%"

You can add as many other OS's in that box as you want. This way if the WMI query runs on a server it  will evaluate to false and the GPO will not run.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 33627509
Also a great tool for testing your WMI filters once you created them is WMIFtest from gpoguy.com

http://www.gpoguy.com/FreeTools/FreeToolsLibrary/tabid/67/agentType/View/PropertyID/93/Default.aspx 

This will let you pick any of your WMI filters and test them against any computer/server in your organization. If it evaluates to TRUE the GPO will be applied FALSE it will be skipped.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question