Solved

GPO Exception on servers

Posted on 2010-09-08
3
530 Views
Last Modified: 2012-05-10
I've configured a printer GPO for our user's container in Active Directory.  I'm using group filtering on the GPO so that I can apply it to the entire user's container, but only those in the group receive the policy.  A select number of these users do have management responsibilities on some servers.  is there a way to filter out the user based policy so that it does not run on the Servers.  The servers and users are in separate OU's and must remain that way.  Would a WMI filter work for this?  If so, what might it look like?
0
Comment
Question by:patriots
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33627411
What I'd do is create those users a second account.  That would be their management account with their elevated rights.  Then put them in an OU that doesn't get the policy.   It is generally best practice for users that have admin/elevated rights to have two accounts.   Log in day to day with the "normal" account and only use the elevated account when they need it to run their tasks.
 
Thanks
 
Mike
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 500 total points
ID: 33627493
I think a WMI filter will work for what you are trying to do. . WMI filters will only appply the GPO if they evaulate to true. I would suggest creating a filter to test for the operating system caption. Basically what you will want to is use something like below. This will test for XP and windows 7 operating system.

SELECT Version FROM Win32_OperatingSystem WHERE Caption LIKE "Microsoft Windows XP%" OR Caption LIKE "Microsoft Windows 7%"

You can add as many other OS's in that box as you want. This way if the WMI query runs on a server it  will evaluate to false and the GPO will not run.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 33627509
Also a great tool for testing your WMI filters once you created them is WMIFtest from gpoguy.com

http://www.gpoguy.com/FreeTools/FreeToolsLibrary/tabid/67/agentType/View/PropertyID/93/Default.aspx 

This will let you pick any of your WMI filters and test them against any computer/server in your organization. If it evaluates to TRUE the GPO will be applied FALSE it will be skipped.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question