Solved

GPO Exception on servers

Posted on 2010-09-08
3
519 Views
Last Modified: 2012-05-10
I've configured a printer GPO for our user's container in Active Directory.  I'm using group filtering on the GPO so that I can apply it to the entire user's container, but only those in the group receive the policy.  A select number of these users do have management responsibilities on some servers.  is there a way to filter out the user based policy so that it does not run on the Servers.  The servers and users are in separate OU's and must remain that way.  Would a WMI filter work for this?  If so, what might it look like?
0
Comment
Question by:patriots
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33627411
What I'd do is create those users a second account.  That would be their management account with their elevated rights.  Then put them in an OU that doesn't get the policy.   It is generally best practice for users that have admin/elevated rights to have two accounts.   Log in day to day with the "normal" account and only use the elevated account when they need it to run their tasks.
 
Thanks
 
Mike
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 500 total points
ID: 33627493
I think a WMI filter will work for what you are trying to do. . WMI filters will only appply the GPO if they evaulate to true. I would suggest creating a filter to test for the operating system caption. Basically what you will want to is use something like below. This will test for XP and windows 7 operating system.

SELECT Version FROM Win32_OperatingSystem WHERE Caption LIKE "Microsoft Windows XP%" OR Caption LIKE "Microsoft Windows 7%"

You can add as many other OS's in that box as you want. This way if the WMI query runs on a server it  will evaluate to false and the GPO will not run.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 33627509
Also a great tool for testing your WMI filters once you created them is WMIFtest from gpoguy.com

http://www.gpoguy.com/FreeTools/FreeToolsLibrary/tabid/67/agentType/View/PropertyID/93/Default.aspx 

This will let you pick any of your WMI filters and test them against any computer/server in your organization. If it evaluates to TRUE the GPO will be applied FALSE it will be skipped.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question