• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 209
  • Last Modified:

SBS08 Group Policy changes for remote PCs

Hi All,
We have a remote location with several PC's that are part of our SBS08 network. The remote location has a RODC Windows 08 server.
Prefer not to modifythe existing inbuilt SBS policies too much but would like to exclude these users/pc's from some of the policies and/or point them at variations which include a local to them WSUS server.

So is this possible to exclude users/pc from existing GP, and then include them only to some new GPs?
0
art_r
Asked:
art_r
  • 3
  • 2
1 Solution
 
Brad BouchardInformation Systems Security OfficerCommented:
Most everything is possible through Group Policy and is easiest if you use your OU structure to your advantage and only have certain users/computers in OUs that you want these GPOs applied to.  

That being said, you can also exclude certain individuals and computers from these policies without restructuring your entire OU/AD.  

Have you thought of/tried removing individuals from the applied to section of the GPO(s) in question?
0
 
Nagendra Pratap SinghCommented:
Add these remote PCs to a group. Deny them the read GPO via security settings.
0
 
art_rAuthor Commented:
xBouchardx - I think the main SBS GPO's are just applied to Authenticated users so all users. So i'm guessing if changed that it would mean i would then need to add any new users individually in the future which I would prefer not to do.
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
Brad BouchardInformation Systems Security OfficerCommented:
So make a group for the users you want to exclude and either deny them read access or apply a different GPO to this OU and Enforce it so it takes precedence over other GPOs.
0
 
art_rAuthor Commented:
npsingh123 - ok, just having a look at it this way.

So if I make a copy of the default domain policy, rename it Remote Policy
I already have my group of PC's defined, Remote_PCs

Then on my existing policy, go delegation, advanced, add Remote_PCs with deny on read.

Then on new Remote Policy, i would remove Authenticated Users and add Remote_PCs?

Am I sort of on right track there..?
0
 
Brad BouchardInformation Systems Security OfficerCommented:
Correct...
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now