?
Solved

Prevent GPO from applying

Posted on 2012-12-28
11
Medium Priority
?
422 Views
Last Modified: 2013-01-08
We have an OU for terminal Servers , we have blocked the inheritances so that no domain GPO apply on this OU.
This OU has all the Servers with terminal Server role installed.
Now we created 3 separate GPO's and applied them to the Terminal Server OU
GPO1 - For Computers
GPO2 - For Users
Q:1 - The gpo created for computers have User Configuration settings disabled
What we setup in this are various server settings for TS and we also enabled a policy named:
Set user profile path for all users logging on to this computer
All was fine until i realized even the administrators who login to these servers get this , which i did not wanted.
So i looked around and found "How to prevent domain Group Policies from applying to certain user or computer accounts"
http://support.microsoft.com/kb/816100
I Added a Group for the users who belong to admin group in the delegation tab in GPMC and followed the steps to deny GPO as mentioned in above article.
I ran Gpupdate /force couple of times
Rebooted servers
But the users who belong to this group still get their profile roaming .
I do not want these policies to be applied to the Admins.
Is there something i am doing wrong.
Is there anyway i can reset all group policies
How soon does a GPO become available after we edited it
does it depend on the replication ? in AD
0
Comment
Question by:MOQINFRA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 38726957
So this group is denied permission to have the Policy applied to them?  Are these accounts members of any other groups?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38726997
Are you saying that you do not want the COMPUTER policy settings applied if its an ADMINISTRATIVE USER??
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38727017
A computer policy is applied to a COMPUTER and NOT to a user. When a computer policy is applied it knows not who the user is.
0
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

 

Author Comment

by:MOQINFRA
ID: 38727053
Yes i do not want the Computer policy to apply when a admin logs in
0
 

Author Comment

by:MOQINFRA
ID: 38727056
yes these accounts are member of other groups as well. but shudnt deny override .
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38727201
You misunderstand.

A computer policy is applied to THE COMPUTER and NOT to a user therefore you can NOT DENY the policy for computer settings to a user ONLY to a computer.
0
 

Author Comment

by:MOQINFRA
ID: 38727304
So i would i be able to deny this reaming profile for some users and not all . do i have to setup some other policy instead of this one.
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 1000 total points
ID: 38727353
The commenest aproach is to have TS Administratve logins with an empty profile for any admin that needs to access the TS servers.

Do you not already have user accounts AND admin accounts for all your admin users?

i.e.

John.Jones  AND john.jonesAD

Nobody should realy be logging in with an administrative account for just general day to day work unless it absolutely requires admin priveledges.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38727355
"So i would i be able to deny this reaming profile for some users and not all "

NO. by using that policy it does exactly what it says.  ALL USERS, no exceptions.
0
 

Author Comment

by:MOQINFRA
ID: 38727637
Yes we have 2 different accounts

me and me_admin
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38756404
Giving a Grade C ? Would you explain why you feel its a grade 'C'?

Grading answers as a 'C' when you have been given the correct information, but you dont like the answer because it proves you cant do what you wanted just discourages experts from helping you in the future.
0

Featured Post

Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question