Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to exclude a machine from applying GPO computer settings only in case a particular user logs in

Posted on 2013-01-14
7
Medium Priority
?
964 Views
Last Modified: 2013-01-15
We have a bunch of load balanced terminal servers with computer GPO setting of "Set path for TS roaming profiles". Basically redirecting user profiles to common location.

This is fine for common users. But I would like to prevent this setting from applying in case that domain administrator logs-in to any of those servers (keeping the profile local).

This would be easy if "Set path for TS roaming profiles" setting was a user setting.

Any idea on how to achieve this get around?


Thank You
0
Comment
Question by:Teknoxgroup
7 Comments
 
LVL 7

Expert Comment

by:pr0t0c0l12
ID: 38774357
Create a subfolder in the same OU, place a new policy that will apply to the user only.  you can do it a few different ways, but the most practical way would be to run a login script when users login.

hope this helps...
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 38774379
By default, Domain Admins are exempt from most GPOs.  If that's not the case here, you can add the group to the permissions list for the GPO and deny them READ permissions to the policy.  Since the group can't read the policy, the policy can't apply to them.  This is the typical method of excluding group policy application.
0
 

Author Comment

by:Teknoxgroup
ID: 38774414
The problem here is not to block the user portion of GPO (which comes from administrator's user account OU).
The problem is to block computer portion of GPO (which comes from terminal server's computer account OU). While retaining the same computer portion of GPO for the other users that log-in to that terminal server.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 38774548
You can exclude a computer too, as long as it has an object in Active Directory.
0
 

Author Comment

by:Teknoxgroup
ID: 38777381
If I exclude a TS from GPO, other loging users would also not get computer portion of TS GPO.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1500 total points
ID: 38777722
Not possible, sorry. You can't exclude a user object from computer settings (unless the component evaluating the setting supports this, and this isn't the case here).
The machine needs to know the user's profile path at the very moment the user is logging on, in order to process the User Configuration policies.
In other words: anything you're trying to achieve with User Configuration settings is doomed to fail, because it would require a switch to another user profile in the middle of GPO processing.
Anything you're trying to achieve with Computer Configuration settings is doomed to fail, too, because the "Profile Path" policy itself would need to support an exclusion list (which it doesn't), and it's impossible to prevent the application of a computer configuration based on the user logging on.
That leaves you with two alternatives:
* Create a dedicated "RDS Admin" that is used for administrative logons to machines that have the "Profile Path" policy applied.
* Instead of the policy, use the "Remote Desktop Services Profile" tab in the AD user properties to configure the roaming profile path, and leave that field empty for the admin account(s).
0
 

Author Comment

by:Teknoxgroup
ID: 38778188
Thanks oBdA. It's as I suspected. It is "all or nothing" for GPO computer settings.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Suggested Courses

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question