Link to home
Start Free TrialLog in
Avatar of ChocolateRain
ChocolateRain

asked on

How do I restrict a certain computer from receiving a Group Policy?

In the Delegation tab of a GP in the Group Policy Management console you can restrict certain user accounts from receiving a GP by setting their account with a DENY Read permission.  However doing the same with a computer account doesn't work to prevent that account from receiving the GPO.

Is there a way to block certain computer accounts in any regard other than setting up blocking inheritance with OUs?  WMI perhaps?  I'd prefer not to do the method of separate OUs and blocked inheritance, that would be a bit messy.
Avatar of Joseph Moody
Joseph Moody
Flag of United States of America image
Go to advance (in delegation tab) and select deny "Apply group policy"
ASKER CERTIFIED SOLUTION
Avatar of Ackles
Ackles
Flag of Switzerland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of hirenvmajithiya
hirenvmajithiya
Flag of India image
Use WMI filter with ComputerName field.
Avatar of Venkat Suresh
Venkat Suresh
Flag of United States of America image
Add this computer to one newly created OU and change this option as per your requirement "Access this computer from the network" you can find it in GPMC... Default Domain Controller Group Policy object

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Avatar of pwindell
pwindell
Flag of United States of America image
I use Ackles method except I flip it around the other way.  I create a security group that has almost the same name as the GPO (my way of self documenting) then I add the PC Account to the group if I WANT it to use the GPO,...then any machine not in the group does use the GPO.   Most of my GPOs are NOT based on the OU something is in,...I have found that to be too inflexible,...so I do most of them via Security Groups.

Lets say I have a GPO called "Windows Firewall Settings",...I then create a security group called "GPO Windows Firewall Settings".   I prefix all of them with "GPO" so when I add a machine to them I can type "GPO" in the dialog box and it shows me only those groups to pick from.  Now don't get me wrong,...the OUs are also factored in,...but by themselves they are too inflexible.
Avatar of Ackles
Ackles
Flag of Switzerland image
See there is no Right or Wrong, what suits you Best is what matters.
Just keep two things in mind, be descriptive & document what you do.


A
Avatar of pwindell
pwindell
Flag of United States of America image
Never ever modify your Default Policies.  There are two,...Default Domain Policy,...and Default Domain Controllers Policy.  Those are your safety net,...they are your way back to a normal world if things go bad.  If you totally screw something up with a GPO you can remove or unlink the GPO and the Default Policies will put you back to a somewhat normal state,...or at least a functioning state.   The only exception to that is that with 2003 and older Domains the Password Policies must be in the Default Domain Policy,...they won't work right elsewhere.

So,...always create NEW GPOs to make policy changes,...name them according to their purpose as a way of self documenting.   Group your settings into the properly named GPO that they would logically be associated with.

But don't go to extremes there either.  Too many individual policies can be bad too and can hurt performance.  "Balance" is everything.