Solved

How to exclude a machine from applying GPO computer settings only in case a particular user logs in

Posted on 2013-01-14
7
932 Views
Last Modified: 2013-01-15
We have a bunch of load balanced terminal servers with computer GPO setting of "Set path for TS roaming profiles". Basically redirecting user profiles to common location.

This is fine for common users. But I would like to prevent this setting from applying in case that domain administrator logs-in to any of those servers (keeping the profile local).

This would be easy if "Set path for TS roaming profiles" setting was a user setting.

Any idea on how to achieve this get around?


Thank You
0
Comment
Question by:Teknoxgroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 7

Expert Comment

by:pr0t0c0l12
ID: 38774357
Create a subfolder in the same OU, place a new policy that will apply to the user only.  you can do it a few different ways, but the most practical way would be to run a login script when users login.

hope this helps...
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 38774379
By default, Domain Admins are exempt from most GPOs.  If that's not the case here, you can add the group to the permissions list for the GPO and deny them READ permissions to the policy.  Since the group can't read the policy, the policy can't apply to them.  This is the typical method of excluding group policy application.
0
 

Author Comment

by:Teknoxgroup
ID: 38774414
The problem here is not to block the user portion of GPO (which comes from administrator's user account OU).
The problem is to block computer portion of GPO (which comes from terminal server's computer account OU). While retaining the same computer portion of GPO for the other users that log-in to that terminal server.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 38774548
You can exclude a computer too, as long as it has an object in Active Directory.
0
 

Author Comment

by:Teknoxgroup
ID: 38777381
If I exclude a TS from GPO, other loging users would also not get computer portion of TS GPO.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 500 total points
ID: 38777722
Not possible, sorry. You can't exclude a user object from computer settings (unless the component evaluating the setting supports this, and this isn't the case here).
The machine needs to know the user's profile path at the very moment the user is logging on, in order to process the User Configuration policies.
In other words: anything you're trying to achieve with User Configuration settings is doomed to fail, because it would require a switch to another user profile in the middle of GPO processing.
Anything you're trying to achieve with Computer Configuration settings is doomed to fail, too, because the "Profile Path" policy itself would need to support an exclusion list (which it doesn't), and it's impossible to prevent the application of a computer configuration based on the user logging on.
That leaves you with two alternatives:
* Create a dedicated "RDS Admin" that is used for administrative logons to machines that have the "Profile Path" policy applied.
* Instead of the policy, use the "Remote Desktop Services Profile" tab in the AD user properties to configure the roaming profile path, and leave that field empty for the admin account(s).
0
 

Author Comment

by:Teknoxgroup
ID: 38778188
Thanks oBdA. It's as I suspected. It is "all or nothing" for GPO computer settings.
0

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question