Ekuskowski
asked on
Group policy processing order / precedence
I currently have a group policy applied to an OU. That OU contains one server and there are COMPUTER and USER settings being applied by that policy. These settings are applied to anyone who logs into that computer.
All of this is working as planned.
Now when an Admin logs into that computer the policies are also getting applied which is removing access to the control panel. This is expected because that's what the policy says to do.
I have made another policy that gives access to the control panel and I have applied that policy to the OU where the admin users are located.
How do I make sure the Policy that the admins need over rides or takes precedence over the policy of the server ?
All of this is working as planned.
Now when an Admin logs into that computer the policies are also getting applied which is removing access to the control panel. This is expected because that's what the policy says to do.
I have made another policy that gives access to the control panel and I have applied that policy to the OU where the admin users are located.
How do I make sure the Policy that the admins need over rides or takes precedence over the policy of the server ?
It sounds like you are running loopback policy processing. I would guess it is set to replace mode instead of merge.
1. Change it to replace mode.
2. Create a new GPO that applies to the servers and the admins.
3. Configure your settings and link it higher (on the OU level) than the general GPO.
1. Change it to replace mode.
2. Create a new GPO that applies to the servers and the admins.
3. Configure your settings and link it higher (on the OU level) than the general GPO.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just deny read to the admins on the policy
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
enforcing the policy that i needed was ultimately what worked, I'm also going to clean up my group policies and create more policies that are specific to one task or one group of users or computers, that way I only apply polices to specific OU's and I do not get stuck where I have a policy that applies to the domain and I do not want eveythinhg in theat policy for everyone.
http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/
It is much less confusing then setting up multiple policies.