Solved

How to exclude a machine from applying GPO computer settings only in case a particular user logs in

Posted on 2013-01-14
7
912 Views
Last Modified: 2013-01-15
We have a bunch of load balanced terminal servers with computer GPO setting of "Set path for TS roaming profiles". Basically redirecting user profiles to common location.

This is fine for common users. But I would like to prevent this setting from applying in case that domain administrator logs-in to any of those servers (keeping the profile local).

This would be easy if "Set path for TS roaming profiles" setting was a user setting.

Any idea on how to achieve this get around?


Thank You
0
Comment
Question by:Teknoxgroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 7

Expert Comment

by:pr0t0c0l12
ID: 38774357
Create a subfolder in the same OU, place a new policy that will apply to the user only.  you can do it a few different ways, but the most practical way would be to run a login script when users login.

hope this helps...
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 38774379
By default, Domain Admins are exempt from most GPOs.  If that's not the case here, you can add the group to the permissions list for the GPO and deny them READ permissions to the policy.  Since the group can't read the policy, the policy can't apply to them.  This is the typical method of excluding group policy application.
0
 

Author Comment

by:Teknoxgroup
ID: 38774414
The problem here is not to block the user portion of GPO (which comes from administrator's user account OU).
The problem is to block computer portion of GPO (which comes from terminal server's computer account OU). While retaining the same computer portion of GPO for the other users that log-in to that terminal server.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 38774548
You can exclude a computer too, as long as it has an object in Active Directory.
0
 

Author Comment

by:Teknoxgroup
ID: 38777381
If I exclude a TS from GPO, other loging users would also not get computer portion of TS GPO.
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 38777722
Not possible, sorry. You can't exclude a user object from computer settings (unless the component evaluating the setting supports this, and this isn't the case here).
The machine needs to know the user's profile path at the very moment the user is logging on, in order to process the User Configuration policies.
In other words: anything you're trying to achieve with User Configuration settings is doomed to fail, because it would require a switch to another user profile in the middle of GPO processing.
Anything you're trying to achieve with Computer Configuration settings is doomed to fail, too, because the "Profile Path" policy itself would need to support an exclusion list (which it doesn't), and it's impossible to prevent the application of a computer configuration based on the user logging on.
That leaves you with two alternatives:
* Create a dedicated "RDS Admin" that is used for administrative logons to machines that have the "Profile Path" policy applied.
* Instead of the policy, use the "Remote Desktop Services Profile" tab in the AD user properties to configure the roaming profile path, and leave that field empty for the admin account(s).
0
 

Author Comment

by:Teknoxgroup
ID: 38778188
Thanks oBdA. It's as I suspected. It is "all or nothing" for GPO computer settings.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Know what services you can and cannot, should and should not combine on your server.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question