Link to home
Create AccountLog in
Avatar of dedri
dedriFlag for United States of America

asked on

restricted groups gpo

I need to apply with gpo policy that on all of the computers in our company BUILTIN/Administrators group contain only Administrators and Domain Admins.
Also I need to have an exception for part of the computers.
I know about restricted groups, but could you tell me how to make an exceptions for group of computers
ASKER CERTIFIED SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of dedri

ASKER

I am looking a way to apply the policy to all( a little bit more than 1000)  computers except 6-7 computers.  And every new computer added to our organization need to have this policy applied. And this is computer policy.
One way to do this that I see is to put the computers you don't want this to apply to in an OU where the GPO won't apply.  Whether that means having them in a parent OU (with the GPO linked at a lower level), or in a child OU with inheritance blocked, would depend on your other GPOs that need to apply.
If you go the security filtering route, then you could add all computers (except the ones you want to exclude) to a security group which the GPO applies to, and make it a matter of course that each new machine is added to the group.
I've never tried it in this fashion exactly, but last possibility I can think of would be to go to the GPO's Delegation tab, click on Advanced and add the computer accounts (or group) and select Deny for "Apply group policy", then save the changes.
is the issue resolved ...let me know if you need any further assistance
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account