Solved

Group Policy on SBS 2008 -  how to remove one feature for one User.

Posted on 2011-09-14
26
429 Views
Last Modified: 2012-06-21
We have a group policy feature enabled on our SBS 2008 box under Windows SBS User Policy. The feature needs to be turned off for one User only. The feature is 'Enable Active Desktop' and is 'Enabled'. I have created a new OU, 'No Active Desktop' and I have blocked inheritance but I want to know how to recreate all of the Windows SBS User Policy features except this one so that this is effectively turned off for any users that I place in this OU. Any help appreciated.
0
Comment
Question by:plokij5006
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 10
  • +1
26 Comments
 
LVL 30

Expert Comment

by:Randy Downs
ID: 36537393
try this

http://help.wugnet.com/windows2/Copy-Group-Policy-OU-ftopict517788.html

In GPMC you can also copy an existing GPO. Install Group policy management
console and see what it can do for you.
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD...35-9272 
0
 
LVL 3

Expert Comment

by:jrgcomputing
ID: 36537407
Its difficult to advise on this with out knowing the reason for blocking 1 user. I wouldn't block inheritance for a start. Your much better controlling what policies are applied to users through group membership, so i would do the following

Create 2 Groups (GP Active Desktop ENA, GP Active Desktop DIS)
Create 2 Group Policies (GP Active Desktop ENA, GP Active Desktop DIS)
Set original Group Policy Active Desktop to not defined
0
 

Author Comment

by:plokij5006
ID: 36542183
Thanks for the replies, I had already tried linking the GPO to the new OU but when I change this setting in the linked GPO, it changes the setting globally. It tells me this will be the case when I select the linked GPO. Any ideas?

Also, I already have an OU for all SBS Users and i just want to specialize one user (Active Desktop crashes their system immediately when turned on by the GP). so I don't want to create a new OU and put everyone bar one in it, if I can help it.

Thanks
0
Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

 
LVL 40

Expert Comment

by:footech
ID: 36556444
You say you have this set under Windows SBS User Policy, but I want to verify that this is indeed a user policy setting and not a computer policy one.  What's the path to the policy setting?

Assuming it is a user policy, a couple ways you can go:
1) If you want to use a new OU.  Of course if you change a GPO it will apply to everywhere the GPO is linked.  If you want it to be different, copy the GPO, change the setting in the copy, and apply it to the new OU.
2) You could also go the route jrgcomputing suggested, but a simpler method would be to leave the current GPO alone and leave the users in the OU as is, create a new GPO with the Active Desktop setting disabled, and set it apply only to the specific user in the security filtering.  Now link the GPO to the SBSUsers OU, and set the precedence (link order) so that this GPO is applied last, thereby overwriting the previous GP setting which enabled Active Desktop.
0
 

Author Comment

by:plokij5006
ID: 36560601
Thanks for the reply. It is definitely a user policy setting as it's path is User Configuration\Policies\Administrative Templates\Desktop\Desktop.

I have copied the GPO and changed this setting in it and I will try your suggestion of applying the GPO last, I assume you mean that this overwrites those applied previously and so this makes the fact the other GPOs are enforced irrelevant?
0
 
LVL 40

Expert Comment

by:footech
ID: 36561028
Correct.  However, a clarification note, I wouldn't use the term "enforced" as this means something special to GPOs; better would be "applied".  As the only setting you want to change is for Active Desktop, that is the only setting that I would include in the new GPO.
0
 

Author Comment

by:plokij5006
ID: 36561089
Thanks, so now I have the new OU which has the one User in it. It inherits ten policies. My 'No Active Desktop' GPO is No. 4 in the list of inherited policies but I need to make it No. 10? I don't see how to edit it's Precedence. How is this done?
0
 
LVL 40

Expert Comment

by:footech
ID: 36561202
Looks like you're combining instructions from a couple different options.  Is this new OU a child of the SBSUsers OU?  If so, it should already be applied last.  Changing the link order only comes in handy when you have multiple GPOs applying to the same OU.

With the OU selected, look at the "Linked Group Policy Objects" tab.  There are arrows that let you change the order.  And no, you need to make it number 1 (actually it just needs to be lower than the GPO with the setting you want to overwrite, but nothing is lower than 1).
0
 

Author Comment

by:plokij5006
ID: 36568888
Okay, thanks. I will give it a try and let you know how I get on.
0
 

Author Comment

by:plokij5006
ID: 36579375
The 'No Active desktop' OU is a child of the SBS USers OU. There is only one linked GPO under 'Linked Group Policy Objects' and that is the 'No Active desktop' GPO. On the 'Group Policy Inheritance' tab there are 10 GPOs. The 'No AD' policy is number 4 and there are three above it whose precedence is 'enforced'. One of which is the original 'SBS USers Policy'  Does this not mean that the 'No AD' GPO will be overridden by the original SBS Users policy and so the fact that I have turned off this setting in the new GPO is irrelevant?
0
 
LVL 40

Expert Comment

by:footech
ID: 36579772
As it stands right now, yes.  You need to "no AD" policy to a lower number than the other.  You can try setting it to enforced as well to see if that will get it a higher precedence (lower number).  Right now I'm wondering why the "SBS Users Policy" is set to enforced.
0
 

Author Comment

by:plokij5006
ID: 36814580
It seems the issue then is how to change the precedence of inherited GPOs that are set to 'enforced'. If I make the 'No Active Desktop' GPO enforced, it is still with a lower precedence than the SBS USers Policy. Any suggestions anyone?
0
 

Author Comment

by:plokij5006
ID: 36814714
Following on from my previous post, is it not the case that the 'SBS Users Policy' needs to be enforced? If I uncheck the 'Enforced' option from this GPO it disappears from the Inherited GPOs on the SBS Users OU.
0
 
LVL 40

Expert Comment

by:footech
ID: 36818297
Tomorrow I should have access to an SBS08 server so I can see what it is by default.  However, in my experience, no GPOs are set to Enforced by default.  When you turn Enforced off it is not inherited only because you created an OU and blocked inheritance.  Enforced overrides the "block inheritance" setting.  I would think that the "SBS Users Policy" GPO doesn't need to be set to Enforced, but like I said, let me get back to you after I see what the default is on an SBS 08 machine.
0
 

Author Comment

by:plokij5006
ID: 36890632
Thanks footech!
0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 36892827
OK, so on SBS 2008 this policy (and a few others) are set to Enforced by default.  But the Active Desktop setting is not included, so someone must have added that to the policy at some point.  Here's a link to what settings the policy includes by default.
http://www.sbslinks.com/windows_sbs_user_policy1.htm

So, here's the way I would approach this.  Remove the Active Desktop setting from the SBS Users GPO.  Create a new GPO that sets Active Desktop to enabled and link it either at the domain level or just on the SBS Users OU.  Then create a new GPO that sets Active Desktop to disabled, and either:
1) link it to SBS Users OU make sure it only applies to user in question, or
2) link it to a child OU of the SBS Users OU that only includes the user (here the GPO can be set to apply to all Authenticated Users).
0
 

Author Comment

by:plokij5006
ID: 36893117
Thanks, I will try that but it will be on Monday, let you know what happens then.
0
 

Author Comment

by:plokij5006
ID: 36915730
Okay, here is what I did:-

1) I made 'Enable Active Desktop' not configured in the SBS Users Policy.
2) I made a new GPO with this setting enabled and linked it to the SBS Users OU.
3) I created a new GPO with this settimg 'Disabled' and linked it to the 'No Active Desktop' OU.
4) I moved the user in to this OU.

Now 'Active Desktop off' has a higher precedence than the 'Active Desktop On' GPO in the inheritance of the 'No Active Desktop' OU. I am now waiting to see what the outcome is at next logon. I will get back to you soon.
0
 
LVL 40

Expert Comment

by:footech
ID: 36918484
Sounds good.
0
 

Author Comment

by:plokij5006
ID: 36948449
Sorry for the delay in responding but It took to today for the EU to update me on whether this was resolved. The answer is that this is still the same. Any more ideas?
0
 
LVL 40

Expert Comment

by:footech
ID: 36949766
Can you a run the GP Results Wizard for this user and see if the setting is being applied?  It will tell you the setting and which GPO applied it.
0
 

Author Comment

by:plokij5006
ID: 36949945
I ran the wizard. Under 'Applied GPOs' the 'Active Desktop On' GPO is listed but it is at a lower precedence than it is when you view GPO Inheritance from OU properties. In OU properties it is listed at position 4 and the 'Active Desktop On' GPO in listed at 6. However, running the wizard under 'Applied GPOs' it is listed 4th with 'Active Desktop On' listed 2nd.

Presumably this is why it is not applied but I can't see why there is a difference between the GPO Inheritance and the Wizard results?
0
 
LVL 40

Expert Comment

by:footech
ID: 36953490
I think the results wizard displays the GPOs in the order they are applied.  So the one at the bottom would be the last one.  But a better check is if you look at the Settings tab for the results, you should see the setting and which GPO it was applied from.

Are you using the "Enable Active Desktop" setting, or the "Disable Active Desktop" setting?
0
 

Author Comment

by:plokij5006
ID: 37006380
Sorry for the long wait for a reply but the end user was on holiday until yesterday. I asked her to report back on what had happened with this on her return and she now says that the Active Desktop error has gone. I don't know how this happened and the settings in GPMC are still the same but it appears to have worked so I am going to accept your solution Footech. Thanks very much for all your help and well done!
0
 

Author Closing Comment

by:plokij5006
ID: 37006384
Good solution, well done. Very helpful member.
0
 
LVL 40

Expert Comment

by:footech
ID: 37008707
Excellent!  Glad you got it working.
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question