Solved

How to exclude a machine from applying GPO computer settings only in case a particular user logs in

Posted on 2013-01-14
7
891 Views
Last Modified: 2013-01-15
We have a bunch of load balanced terminal servers with computer GPO setting of "Set path for TS roaming profiles". Basically redirecting user profiles to common location.

This is fine for common users. But I would like to prevent this setting from applying in case that domain administrator logs-in to any of those servers (keeping the profile local).

This would be easy if "Set path for TS roaming profiles" setting was a user setting.

Any idea on how to achieve this get around?


Thank You
0
Comment
Question by:Teknoxgroup
7 Comments
 
LVL 7

Expert Comment

by:pr0t0c0l12
ID: 38774357
Create a subfolder in the same OU, place a new policy that will apply to the user only.  you can do it a few different ways, but the most practical way would be to run a login script when users login.

hope this helps...
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 38774379
By default, Domain Admins are exempt from most GPOs.  If that's not the case here, you can add the group to the permissions list for the GPO and deny them READ permissions to the policy.  Since the group can't read the policy, the policy can't apply to them.  This is the typical method of excluding group policy application.
0
 

Author Comment

by:Teknoxgroup
ID: 38774414
The problem here is not to block the user portion of GPO (which comes from administrator's user account OU).
The problem is to block computer portion of GPO (which comes from terminal server's computer account OU). While retaining the same computer portion of GPO for the other users that log-in to that terminal server.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 38774548
You can exclude a computer too, as long as it has an object in Active Directory.
0
 

Author Comment

by:Teknoxgroup
ID: 38777381
If I exclude a TS from GPO, other loging users would also not get computer portion of TS GPO.
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 38777722
Not possible, sorry. You can't exclude a user object from computer settings (unless the component evaluating the setting supports this, and this isn't the case here).
The machine needs to know the user's profile path at the very moment the user is logging on, in order to process the User Configuration policies.
In other words: anything you're trying to achieve with User Configuration settings is doomed to fail, because it would require a switch to another user profile in the middle of GPO processing.
Anything you're trying to achieve with Computer Configuration settings is doomed to fail, too, because the "Profile Path" policy itself would need to support an exclusion list (which it doesn't), and it's impossible to prevent the application of a computer configuration based on the user logging on.
That leaves you with two alternatives:
* Create a dedicated "RDS Admin" that is used for administrative logons to machines that have the "Profile Path" policy applied.
* Instead of the policy, use the "Remote Desktop Services Profile" tab in the AD user properties to configure the roaming profile path, and leave that field empty for the admin account(s).
0
 

Author Comment

by:Teknoxgroup
ID: 38778188
Thanks oBdA. It's as I suspected. It is "all or nothing" for GPO computer settings.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question