Ggillotte
asked on
Need to apply a gpo to most users, but not to others.
Hi, I enabled the "Deny Removable Storage Access" GPO for all authenticated users, created a group essentially named "Block Policy", and then in the GPO Delegation tab I checked Deny to "Read" and "Apply Group Policy" for the new group.
I thought this would restrict every user in our domain except for the groups that I placed inside the "Block Policy" group.
This made everyone lose removable storage, ie. DVD drive, USB drives, floppy drives, etc., including all admins on our domain.
Because I couldn't get the "Block Policy" group to be excluded from this GPO, I changed the GPO to only include "Domain Users", and then removed a test admin from the "Domain User's" group.
After a reboot, this still didn't work, and even though this test Domain Admin wasn't in the assigned group the policy settings "stuck".
In order to get the DVD back I had to uncheck "Enforced" and "Link Enabled" on the GPO itself, and reboot the workstation.
Does anybody have any ideas on how to successfully allow a group to be excluded from this restrictive GPO?
I thought this would restrict every user in our domain except for the groups that I placed inside the "Block Policy" group.
This made everyone lose removable storage, ie. DVD drive, USB drives, floppy drives, etc., including all admins on our domain.
Because I couldn't get the "Block Policy" group to be excluded from this GPO, I changed the GPO to only include "Domain Users", and then removed a test admin from the "Domain User's" group.
After a reboot, this still didn't work, and even though this test Domain Admin wasn't in the assigned group the policy settings "stuck".
In order to get the DVD back I had to uncheck "Enforced" and "Link Enabled" on the GPO itself, and reboot the workstation.
Does anybody have any ideas on how to successfully allow a group to be excluded from this restrictive GPO?
Last Comment
ASKER
Hi Xuserx2000, good question.
I forgot to mention that at first it was applied to both users and computers, then i removed computers from it.
It only has user settings now, but I still got the same problems mentioned before.
I forgot to mention that at first it was applied to both users and computers, then i removed computers from it.
It only has user settings now, but I still got the same problems mentioned before.
ASKER
Does it make a difference that inside the "Block Policy" group, I added other groups like "Domain Admins", instead of individual users?
I don't think it should matter, but that's the only thing I can think of.
I don't think it should matter, but that's the only thing I can think of.
Please post the settings of GPO.
Secondly, don't enforce unless you have a reason.
If possible post the screenshot of OU & structure & where GPO is applied.
My fear is that you are using computer side settings.
A
Secondly, don't enforce unless you have a reason.
If possible post the screenshot of OU & structure & where GPO is applied.
My fear is that you are using computer side settings.
A
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
A Policy always reverts back when disabled, preference sticks unless checked to remove when disabled.
A
A
ASKER
That was exactly it.
The old settings didn't revert back because I changed the GPO settings to "Not Configured", and the old settings were stuck in that workstation.
I also found that if I create and link a GPO "disabling" the disabled permission (expressly allowing it), add the group of user's that I want to allow this permission to it, and then change the link order to one above the restrictive gpo (above the GPO for everyone else) then it has precedence over the GPO below it.
Which is better?
To block a group by denying the "apply GPO" in its delegation, or creating a different GPO and linking it above the other GPO?
The old settings didn't revert back because I changed the GPO settings to "Not Configured", and the old settings were stuck in that workstation.
I also found that if I create and link a GPO "disabling" the disabled permission (expressly allowing it), add the group of user's that I want to allow this permission to it, and then change the link order to one above the restrictive gpo (above the GPO for everyone else) then it has precedence over the GPO below it.
Which is better?
To block a group by denying the "apply GPO" in its delegation, or creating a different GPO and linking it above the other GPO?
The method that is better is the one that has less GPO objects and still has the desired result.
Microsoft Legacy OS
The Microsoft Legacy Operating System topic includes legacy versions of Microsoft operating systems prior to Windows 2000: All versions of MS-DOS and other versions developed for specific manufacturers and Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions, and Windows Mobile.
55K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
If it's a computer policy, it applies to computer objects, not user objects so the permissions for users would be ignored for computer policy settings.