Avatar of MOQINFRA
 asked on

Prevent GPO from applying

We have an OU for terminal Servers , we have blocked the inheritances so that no domain GPO apply on this OU.
This OU has all the Servers with terminal Server role installed.
Now we created 3 separate GPO's and applied them to the Terminal Server OU
GPO1 - For Computers
GPO2 - For Users
Q:1 - The gpo created for computers have User Configuration settings disabled
What we setup in this are various server settings for TS and we also enabled a policy named:
Set user profile path for all users logging on to this computer
All was fine until i realized even the administrators who login to these servers get this , which i did not wanted.
So i looked around and found "How to prevent domain Group Policies from applying to certain user or computer accounts"
I Added a Group for the users who belong to admin group in the delegation tab in GPMC and followed the steps to deny GPO as mentioned in above article.
I ran Gpupdate /force couple of times
Rebooted servers
But the users who belong to this group still get their profile roaming .
I do not want these policies to be applied to the Admins.
Is there something i am doing wrong.
Is there anyway i can reset all group policies
How soon does a GPO become available after we edited it
does it depend on the replication ? in AD
NetworkingMicrosoft Legacy OSActive Directory

Avatar of undefined
Last Comment
Neil Russell

8/22/2022 - Mon
Paul MacDonald

So this group is denied permission to have the Policy applied to them?  Are these accounts members of any other groups?
Neil Russell

Are you saying that you do not want the COMPUTER policy settings applied if its an ADMINISTRATIVE USER??
Neil Russell

A computer policy is applied to a COMPUTER and NOT to a user. When a computer policy is applied it knows not who the user is.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck

Yes i do not want the Computer policy to apply when a admin logs in

yes these accounts are member of other groups as well. but shudnt deny override .
Neil Russell

You misunderstand.

A computer policy is applied to THE COMPUTER and NOT to a user therefore you can NOT DENY the policy for computer settings to a user ONLY to a computer.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

So i would i be able to deny this reaming profile for some users and not all . do i have to setup some other policy instead of this one.
Neil Russell

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Neil Russell

"So i would i be able to deny this reaming profile for some users and not all "

NO. by using that policy it does exactly what it says.  ALL USERS, no exceptions.

Yes we have 2 different accounts

me and me_admin
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Neil Russell

Giving a Grade C ? Would you explain why you feel its a grade 'C'?

Grading answers as a 'C' when you have been given the correct information, but you dont like the answer because it proves you cant do what you wanted just discourages experts from helping you in the future.