Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Exclude Domain Controller in GPO

Posted on 2011-03-20
7
1,644 Views
Last Modified: 2012-06-27
I edited the Default Domain Policy in GPO but want to exclude the Domain Controller (same server with the with the GPO and Active Directory on it).

After some research I found a few ways to exclude computers but non seem to work.

I have already:

1) Added the actual server to the security tab and checked off Deny to Apply  Group Policy as well as Read  --  This had no effect

2) I then added the groups Domain Controllers and Enterprise Exchange Servers ( the only 2 security groups AD says the server is a member of) with the same 2 Deny options checked off  -- Again no effect on the server.

Of course I issued the gpupdate/force after each change, loggged off and back on again.

HOW do I exclude the server from the GPO????
untitled.bmp
0
Comment
Question by:Michael Izzo
  • 3
  • 2
  • 2
7 Comments
 
LVL 77

Accepted Solution

by:
arnold earned 250 total points
ID: 35175119
Create a new GPO with the settings you added in the default domain policy.
Roll back the changes in the default domain policy.
Apply the new GPO where you need and apply only to the systems you want by replacing the authenticated_users with computer/user groups or groups or computers.

Default domain policy and default domain controller policy should only be modified where settings such as password policy need to change.  All other settings changes should be done through creation/linking of a separate newly created GPO.
0
 

Author Comment

by:Michael Izzo
ID: 35175146
Hi Arnold,

Thank you so much for the quick response!.  Before I go crazy with this I have a few questions.  I understand what you are saying but feel the need to let you know I am not a trained IT guy, I'm self taught trying to run a domain in a medium sized family owned service company so some of my questions may be elementary!  

1) Can I roll back the policy automatically back to defaults or do I need to do it manually?

2) Can I copy the existing GPO I used automatically to a new one or do i need to recreate it from scratch?

3) Can I used the existing SBS Client Computer GPO or does it need to be created from scratch?

Thank you so much!
0
 
LVL 8

Assisted Solution

by:ActiveDirectoryman
ActiveDirectoryman earned 250 total points
ID: 35175772

to answer your question:

You can copy the gpo and create a new gpo by  using the gpmc from microsoft. (group policy management console)
first, download the gpmc and install it on your domain controller
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

2    copy the gpo using gpmc and create a new gpo.
here are the instructions for copying  a gpo :
 http://technet.microsoft.com/en-us/library/cc758287(WS.10).aspx
2.  Do not link the new gpo until you have changed settings in the default gpo to not configured.

3.  re-run gpupdate /force or let the group policy refresh on the clients

4.  After group policy has updated on the clients then link the gpo a Organizational Unit you wan to apply the group policy to.

let me know if you have any questions
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:Michael Izzo
ID: 35175988
Thanks AD Man,

I followed your instructions but I did not  have a Copy option so I used cscript copygpo.wsf which worked fine.

Now I am trying to roll back the Default Domain Policy to its original out of box state but do not have the option to "Change Control" as indicated here: http://technet.microsoft.com/en-us/library/bb964252.aspx

I have been searching for a while now trying to download AGPM 4.0 but cant find the damn download anywhere, just documents on microsoft's tech site about it.

I am running SBS 2003; any ideas or do I have to open every single section in the default and reset it manually?

Thanks,
Mike
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35176229

The reason that you can't just download  AGPM is because it is part of the MDOP (microsoft desktop optimization pack).   It is only available to Technet and Msdn subscribers.  it is a licensed product.
http://www.microsoft.com/windows/enterprise/products/mdop/default.aspx

Unfortunately,  unless you have a backup of the gpo that you are trying to roll back  you will have to configure the gpo manuallly setitng each policy within gpo to "not configured" and forcing a group policy update.  There is a tool called "specops gpupdate" that will allow you force a gpupdate across all system in your domain, or in a organizational unit. I suggest that you check this out if you want to send out a group policy update to every client or a subset of clients.  I have used this in my production environment and works well for forcing a group policy update to all clients at once.

Specops  gpupdate
MAKE SURE THAT YOU FOLLOW THE INSTURCTIONS.
http://www.microsoft.com/windows/enterprise/products/mdop/default.aspx

I'm sorry if this is a inconvenience.
0
 
LVL 77

Expert Comment

by:arnold
ID: 35176671
You have access to the GPMC tool within Administrative tools.
If you do not, it can be obtained at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
Once installed it has a hierarchical display of your domain, OUs and GPOs.

Since you seem to have it resolved, I'll add what I think your question dealt with.
You do not need to copy the existing Default domain policy since it is applied.
What you need to do in these cases is create a new empty policy and then make the settings changes you wish to achieve. once you apply the new GPO, the items you change will be cumulative.
There are caveats dealing with password policy as I mentioned before that can only be applied/controlled in SBS 203 from within the default domain/dc policy.

It probably is simpler to go back and undo the settings you made.
There is a way to reset Default Domain and Default domain controll policy:
http://www.windowsitpro.com/article/group-policy/how-can-i-restore-the-contents-of-the-default-domain-and-default-domain-controller-dc-group-policy-objects-gpos-.aspx


A good set of tools you might find useful if not already part of your install are the Windows 2003 support tools:  http://www.microsoft.com/downloads/en/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90&displaylang=en
and windows 2003 resource kit and other tools can be found at:

http://technet.microsoft.com/en-us/windowsserver/bb405955
http://technet.microsoft.com/en-us/sysinternals

You could also use the tools Microsoft provides to analyze your setup:
http://support.microsoft.com/kb/940439
0
 

Author Comment

by:Michael Izzo
ID: 35177367
Anrold,

Worked like a charm!  You both were great...

Many thanks
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question