Avatar of Ekuskowski
Ekuskowski
 asked on

Group policy processing order / precedence

I currently have a group policy applied to an OU.  That OU contains one server and there are COMPUTER and USER settings being applied by that policy.  These settings are applied to anyone who logs into that computer.

All of this is working as planned.

Now when an Admin logs into that computer the policies are also getting applied which is removing access to the control panel.  This is expected because that's what the policy says to do.

I have made another policy that gives access to the control panel and I have applied that policy to the OU where the admin users are located.

How do I make sure the Policy that the admins need over rides or takes precedence over the policy of the server ?
Windows Server 2008Active Directory

Avatar of undefined
Last Comment
Ekuskowski

8/22/2022 - Mon
jgerbasi

You can simply just exclude the Admin users from policy inheritence.

http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/

It is much less confusing then setting up multiple policies.
Joseph Moody

It sounds like you are running loopback policy processing. I would guess it is set to replace mode instead of merge.

1. Change it to replace mode.
2. Create a new GPO that applies to the servers and the admins.
3. Configure your settings and link it higher (on the OU level) than the general GPO.
SOLUTION
Mike Kline

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Smith and Andersen

Just deny read to the admins on the policy
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ekuskowski

ASKER
enforcing the policy that i needed was ultimately what worked,  I'm also going to clean up my group policies and create more policies that are specific to one task or one group of users or computers, that way I only apply polices to specific OU's and I do not get stuck where I have a policy that applies to the domain and I do not want eveythinhg in theat policy for everyone.