Solved

How do you add exclusions to a GPO

Posted on 2014-07-31
44
104 Views
Last Modified: 2014-08-07
I have a GPO that is linked to 2 servers.  It applies a Profile management software to all users that log on to either server.  I want to have it 'not" apply to the Administrators log in.

How?
0
Comment
Question by:jrsitman
  • 22
  • 21
44 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 40232155
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40232211
Remove Authenticated Users from Security Filtering and Just add Domain Users or what ever group needs to have the GPO applied
0
 

Author Comment

by:jrsitman
ID: 40233121
I'll try to get to this tonight after I read the article.
0
 

Author Comment

by:jrsitman
ID: 40233290
I changed the Security settings and now the entire GPO is gone.  How is that possible? Can it be restored?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40233299
Where did you remove Authenticated Users from? Can you send a screenshot of it? It sounds like you removed it from the wrong area entirely.
0
 

Author Comment

by:jrsitman
ID: 40233308
I use Active Administrator to manage the GPO's.  See screen shot.  I chose to modify Security Filters.  I added domain users and remove Authenticated Users.
AA.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40233311
You are probably going to have to use the standard Group Policy Management to add Authenticated Users back, Ive never used Active Administrator. I have no idea how it works or manages policies.
0
 

Author Comment

by:jrsitman
ID: 40233319
The GPO isn't even there.  Is there a restore option in GPM
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40233327
There is a backup option that you can restore from if it is available.

http://technet.microsoft.com/en-us/library/cc755173.aspx
0
 

Author Comment

by:jrsitman
ID: 40233333
Do you have any idea where the backups would default to?  Or what would be the name of the backup file?    Or the extension?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40233337
Im not sure where it would default to. Does Active Administrator have a backup option?

The policy may not be showing up because it looks like you removed Authenticated Users from standard security. Do you have a domain admin account that is also in the domain users group? Try to open Group Policy Management with an account that is in the Domain Users group and see if the policy is listed in there.
0
 

Author Comment

by:jrsitman
ID: 40234398
I ran Gpresult /r see attached.  Anyway to unfilter it?
gpo-filtered.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40234412
Were you ever able to get the GPO to show back up in management?
0
 

Author Comment

by:jrsitman
ID: 40234417
no
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40234420
did you try and open group policy management with an account that is part of the Domain Users group?
0
 

Author Comment

by:jrsitman
ID: 40234434
Yes, it still doesn't show.  If I could find the default backup folder, then maybe I could restore it.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40234485
You will need to find the group policy that isnt showing in the

C:\Windows\Sysvol\{Domain}\Policies\ on the server. All of the policies are listed by GUID. You can probably find it by trying to open each folder, whichever one does not allow you to open is probably the one in question, you can also compare the GUID to the Unique ID in Active Administrator.

Once it is found, you can modify the permissions on the folder to re-add Authenticated Users. if it does not allow you to change the permissions, you must take ownership of the folder. Once it is listed in GPMC again you can edit it how you normally would.
0
 

Author Comment

by:jrsitman
ID: 40234703
OK, making progress.  I definitely found the GPO.  I changed the security permissions.  I opened registry.pol and verified it was the correct policy.  However, it is still not listed in the GPMC.

What else can I try?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40234741
Are you opening GPMC on that specific server?
0
 

Author Comment

by:jrsitman
ID: 40244987
yes opened it both on the DC and on the computer it was applied to.
0
 

Author Comment

by:jrsitman
ID: 40244995
is it safe to delete the damaged policy manually from the policy folder?  See my post 40234398.  That's why I want to delete it.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245062
yes, you can delete it from the folder. It will take a while for the deletion to propagate to other DC's
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:jrsitman
ID: 40245070
thanks.  I'll post tomorrow
0
 

Author Comment

by:jrsitman
ID: 40245099
I'm going to create a test GPO and start over with the original part of this post.  Any suggestions on what I might have done wrong and deleted the GPO?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245104
It looked like you deleted authenticated users from security permissions instead of making it not apply to authenticated users
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245108
The policy should only apply to Domain Users, that will leave the admins out of it. How are you making it only apply to the 2 servers?
0
 

Author Comment

by:jrsitman
ID: 40245113
Yes I deleted authenticated users.  I read the article slower this time.  I put the two servers in there own OU
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245127
Ok, if they are in their own OU then have it apply to Domain Users and Domain computers. This will make sure that both User and Computer settings will be applied.
0
 

Author Comment

by:jrsitman
ID: 40245173
so uncheck these and add the others correct?  see attached.
gpo3.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245937
that is not where you apply policies, that is permission security. wrong screen entirely
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245967
From what I can see in Active Administrator, you should be doing this in Security Group Filters. The only 2 groups the GPO should Apply to is

Domain Users
Domain Computers

Capture.PNG
0
 

Author Comment

by:jrsitman
ID: 40246796
ok, got it figured out.  See attached. However, the GPO is still getting on the computer when I log on as Administrator.  I ran Gpresult /r and it is listed.
filter-security.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246801
is the account you are logging in with part of the Domain Users group?
0
 

Author Comment

by:jrsitman
ID: 40246817
I just doubled checked and no it is not.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246843
on the server you will need to do a gpupdate /force and possibly a restart before doing a gpresult /r to see the changes
0
 

Author Comment

by:jrsitman
ID: 40246849
I did that.  It showed the GPO was applied to the computer I logged into.  I don't want it applied to Administrator user.
0
 

Author Comment

by:jrsitman
ID: 40246860
no idea what you're suggesting
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246854
if its a computer configuration then you need to do item level targeting.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246869
gpo.PNG
Are the settings under Computer Configuration or User Configuration? Depending on what they are under, depends on how you have to do it. I would suggest reading up on Active Administrator, Group Policy, and how policies are applied to computers and users.
0
 

Author Comment

by:jrsitman
ID: 40246917
Computer.  See attached.  These are what I'm trying to manage.  How did you "paste" into the post?
gpo-settings.png
0
 
LVL 16

Accepted Solution

by:
Joshua Grantom earned 500 total points
ID: 40246953
That setting is under Computer Configuration > Policies > Administrative Templates > System > User Profiles

This setting cannot be applied to only certain users. It will apply to all users who login no matter what.

If you can find similar settings under User Configuration > Policies > Administrative Templates > System > User Profiles then they would only apply to Domain Users but the way that policy is made will not allow it to apply to specific users.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246960
Also, to embed a picture choose embed on the picture once you upload it

embed.PNG
gpo.PNG
0
 

Author Comment

by:jrsitman
ID: 40246977
ok, we'll we've solved that.  Thanks for hanging in there.
0
 

Author Closing Comment

by:jrsitman
ID: 40246979
Thanks
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now