Group Policy security filtering based on AD Group

Hello experts,

I have a scenario that is turning out to be problematic.  We want to roll out a new password policy to the entire company but want to exclude a group of users in Active Directory from this policy.

We have the security tab of the policy set to deny this group policy to this AD group but since the password settings are part of the computer configuration of a Group Policy, this deny permission has no effect - in other words, it would only deny settings in the user part of a Group Policy since that is processed at login time, not computer start-up time.

Loopback processing can't be used because it is designed to ensure the computer settings stay the same regardless of the user who logs in.

In short - we want to deny the computer settings of a Group Policy to an AD user group.

Thanks in advance.

RC
LVL 4
Levi GwynAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Mike KlineConnect With a Mentor Commented:
You won't be able to do that, the password policy linked at the domain applies to every user account and can't be blocked.   This only applies to the password policies no other policies work this way

Microsoft had a lot of complaints because people did want the ability to apply different policies to different users/groups   In Windows 2008 they introduced fine grained password policies

http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

There are also third party tools.   What is your domain and forest functional level?

Thanks

Mike
0
 
Levi GwynAuthor Commented:
Hi Mike,

Our forest/domain functional level is 2008 R2.  Also, our plan is to set all the password settings in the top level domain policy to "not enabled" and apply a unique policy to each OU with the password settings we want.  This worked in a test environment but the issue of denying an AD group still remains.
0
 
Mike KlineCommented:
You won't be able to do that.  You are going to have to use fine grained password policies.   By the way if you have one Windows 8 or 2012 box (no DCs required) you can use the new version of ADAC which make managing FGPP much easier

http://technet.microsoft.com/en-us/library/jj574178.aspx

Thanks

Mike
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
violageekCommented:
You can create separate password policies using ADSI edit and apply them to separate groups and not use the default domain password policy. The steps can be found at the link below:

http://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx#BKMK_1

Hope this helps!
0
 
McKnifeCommented:
Though all has been said, I will add something to your understanding of GPO denials.
> we want to deny the computer settings of a Group Policy to an AD user group
What could be done with loopback processing is denying the application of user policies (and take the settings that are applied to the "loopbacked" computer instead) - never was it possible to prevent the application of computer policies through loopback processing.

But anyway, the denial you are looking for would need to be made at the object where the policy applies and that's at the computer objects that manage the domain user passwords, the DCs. So we can either apply the password policy to the DCs or leave it blank. As simple as that: all domain users or no one.
With PSOs however, we can finally apply to user objects and groups.
0
 
Levi GwynAuthor Commented:
We went with FGPP using ADSIEdit.  Thanks mkline71.  That worked well.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.