Denying GPO User Configuration to group of computers

TNRD
TNRD used Ask the Experts™
on
We have a GPO (User Configuration) that applies to all desktop PC's in a specific OU. I would like to know if it is possible to DENY the GPO (User Configuration) to a specific membership group of AD computers. eg. laptop AD objects. (A group made up of laptops) Not a group of users themselves. I am not sure if this is possible as my understanding of computer and user configurations are separate?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013

Commented:
How are you applying user configurations to computers...are you enabling loopback?   You could try filtering on the loopback policy.

Thanks

Mike

Author

Commented:
I haven't enabled loopback. The user configuration is being applied to authenticated users in the OU.

Author

Commented:
Addendum... Both the user object and computer objects are in the OU.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Senior Systems Admin
Top Expert 2010
Commented:
If you don't have loopback enabled and there are only Computers in the OU that the GPO is linked to, nothing will happen. If there are some users in the OU, the GPO will only be applied to those users, and it will be applied on any computer they use. To block a user configuration setting from being applied when a user logs in to a specific computer, you can link the GPO to the OU the computer is in, Enable loopback processing, and add the group that the computers belong to into the security filtering for the policy. That should allow the policy to apply only when users log in to that group of computers.
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
It's usually a good idea, from an organizational standpoint, to separate computer and user objects in Active Directory. It makes policy assignment much easier to handle and figure out.

Commented:
couldn't you just create a new OU and create a new GPO with those specific policies only?
Commented:
You can deny apply group policy on a specific users, groups or computer.
in your GPMC, go to the GPO required, then select delegation tab, click on advanced.
There add the objects you want to deny the GPO to be applied to and select Deny for "Apply group policy" permissions.
This will take care of overriding the Deny of applying this GPO over objects you specified.

Author

Commented:
Thanks. We were able to setup 2 polices. One policy applying to all of the desktops but denied to the laptops. And the other policy applying just to the laptop users using security filtering based on group membership.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial