Solved

How to exclude a machine from applying GPO computer settings only in case a particular user logs in

Posted on 2013-01-14
7
865 Views
Last Modified: 2013-01-15
We have a bunch of load balanced terminal servers with computer GPO setting of "Set path for TS roaming profiles". Basically redirecting user profiles to common location.

This is fine for common users. But I would like to prevent this setting from applying in case that domain administrator logs-in to any of those servers (keeping the profile local).

This would be easy if "Set path for TS roaming profiles" setting was a user setting.

Any idea on how to achieve this get around?


Thank You
0
Comment
Question by:Teknoxgroup
7 Comments
 
LVL 7

Expert Comment

by:pr0t0c0l12
Comment Utility
Create a subfolder in the same OU, place a new policy that will apply to the user only.  you can do it a few different ways, but the most practical way would be to run a login script when users login.

hope this helps...
0
 
LVL 33

Expert Comment

by:paulmacd
Comment Utility
By default, Domain Admins are exempt from most GPOs.  If that's not the case here, you can add the group to the permissions list for the GPO and deny them READ permissions to the policy.  Since the group can't read the policy, the policy can't apply to them.  This is the typical method of excluding group policy application.
0
 

Author Comment

by:Teknoxgroup
Comment Utility
The problem here is not to block the user portion of GPO (which comes from administrator's user account OU).
The problem is to block computer portion of GPO (which comes from terminal server's computer account OU). While retaining the same computer portion of GPO for the other users that log-in to that terminal server.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 33

Expert Comment

by:paulmacd
Comment Utility
You can exclude a computer too, as long as it has an object in Active Directory.
0
 

Author Comment

by:Teknoxgroup
Comment Utility
If I exclude a TS from GPO, other loging users would also not get computer portion of TS GPO.
0
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
Not possible, sorry. You can't exclude a user object from computer settings (unless the component evaluating the setting supports this, and this isn't the case here).
The machine needs to know the user's profile path at the very moment the user is logging on, in order to process the User Configuration policies.
In other words: anything you're trying to achieve with User Configuration settings is doomed to fail, because it would require a switch to another user profile in the middle of GPO processing.
Anything you're trying to achieve with Computer Configuration settings is doomed to fail, too, because the "Profile Path" policy itself would need to support an exclusion list (which it doesn't), and it's impossible to prevent the application of a computer configuration based on the user logging on.
That leaves you with two alternatives:
* Create a dedicated "RDS Admin" that is used for administrative logons to machines that have the "Profile Path" policy applied.
* Instead of the policy, use the "Remote Desktop Services Profile" tab in the AD user properties to configure the roaming profile path, and leave that field empty for the admin account(s).
0
 

Author Comment

by:Teknoxgroup
Comment Utility
Thanks oBdA. It's as I suspected. It is "all or nothing" for GPO computer settings.
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now