How do you add exclusions to a GPO

I have a GPO that is linked to 2 servers.  It applies a Profile management software to all users that log on to either server.  I want to have it 'not" apply to the Administrators log in.

How?
J.R. SitmanIT DirectorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian PiercePhotographerCommented:
0
Joshua GrantomSenior Systems AdministratorCommented:
Remove Authenticated Users from Security Filtering and Just add Domain Users or what ever group needs to have the GPO applied
0
J.R. SitmanIT DirectorAuthor Commented:
I'll try to get to this tonight after I read the article.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

J.R. SitmanIT DirectorAuthor Commented:
I changed the Security settings and now the entire GPO is gone.  How is that possible? Can it be restored?
0
Joshua GrantomSenior Systems AdministratorCommented:
Where did you remove Authenticated Users from? Can you send a screenshot of it? It sounds like you removed it from the wrong area entirely.
0
J.R. SitmanIT DirectorAuthor Commented:
I use Active Administrator to manage the GPO's.  See screen shot.  I chose to modify Security Filters.  I added domain users and remove Authenticated Users.
AA.png
0
Joshua GrantomSenior Systems AdministratorCommented:
You are probably going to have to use the standard Group Policy Management to add Authenticated Users back, Ive never used Active Administrator. I have no idea how it works or manages policies.
0
J.R. SitmanIT DirectorAuthor Commented:
The GPO isn't even there.  Is there a restore option in GPM
0
Joshua GrantomSenior Systems AdministratorCommented:
There is a backup option that you can restore from if it is available.

http://technet.microsoft.com/en-us/library/cc755173.aspx
0
J.R. SitmanIT DirectorAuthor Commented:
Do you have any idea where the backups would default to?  Or what would be the name of the backup file?    Or the extension?
0
Joshua GrantomSenior Systems AdministratorCommented:
Im not sure where it would default to. Does Active Administrator have a backup option?

The policy may not be showing up because it looks like you removed Authenticated Users from standard security. Do you have a domain admin account that is also in the domain users group? Try to open Group Policy Management with an account that is in the Domain Users group and see if the policy is listed in there.
0
J.R. SitmanIT DirectorAuthor Commented:
I ran Gpresult /r see attached.  Anyway to unfilter it?
gpo-filtered.png
0
Joshua GrantomSenior Systems AdministratorCommented:
Were you ever able to get the GPO to show back up in management?
0
J.R. SitmanIT DirectorAuthor Commented:
no
0
Joshua GrantomSenior Systems AdministratorCommented:
did you try and open group policy management with an account that is part of the Domain Users group?
0
J.R. SitmanIT DirectorAuthor Commented:
Yes, it still doesn't show.  If I could find the default backup folder, then maybe I could restore it.
0
Joshua GrantomSenior Systems AdministratorCommented:
You will need to find the group policy that isnt showing in the

C:\Windows\Sysvol\{Domain}\Policies\ on the server. All of the policies are listed by GUID. You can probably find it by trying to open each folder, whichever one does not allow you to open is probably the one in question, you can also compare the GUID to the Unique ID in Active Administrator.

Once it is found, you can modify the permissions on the folder to re-add Authenticated Users. if it does not allow you to change the permissions, you must take ownership of the folder. Once it is listed in GPMC again you can edit it how you normally would.
0
J.R. SitmanIT DirectorAuthor Commented:
OK, making progress.  I definitely found the GPO.  I changed the security permissions.  I opened registry.pol and verified it was the correct policy.  However, it is still not listed in the GPMC.

What else can I try?
0
Joshua GrantomSenior Systems AdministratorCommented:
Are you opening GPMC on that specific server?
0
J.R. SitmanIT DirectorAuthor Commented:
yes opened it both on the DC and on the computer it was applied to.
0
J.R. SitmanIT DirectorAuthor Commented:
is it safe to delete the damaged policy manually from the policy folder?  See my post 40234398.  That's why I want to delete it.
0
Joshua GrantomSenior Systems AdministratorCommented:
yes, you can delete it from the folder. It will take a while for the deletion to propagate to other DC's
0
J.R. SitmanIT DirectorAuthor Commented:
thanks.  I'll post tomorrow
0
J.R. SitmanIT DirectorAuthor Commented:
I'm going to create a test GPO and start over with the original part of this post.  Any suggestions on what I might have done wrong and deleted the GPO?
0
Joshua GrantomSenior Systems AdministratorCommented:
It looked like you deleted authenticated users from security permissions instead of making it not apply to authenticated users
0
Joshua GrantomSenior Systems AdministratorCommented:
The policy should only apply to Domain Users, that will leave the admins out of it. How are you making it only apply to the 2 servers?
0
J.R. SitmanIT DirectorAuthor Commented:
Yes I deleted authenticated users.  I read the article slower this time.  I put the two servers in there own OU
0
Joshua GrantomSenior Systems AdministratorCommented:
Ok, if they are in their own OU then have it apply to Domain Users and Domain computers. This will make sure that both User and Computer settings will be applied.
0
J.R. SitmanIT DirectorAuthor Commented:
so uncheck these and add the others correct?  see attached.
gpo3.png
0
Joshua GrantomSenior Systems AdministratorCommented:
that is not where you apply policies, that is permission security. wrong screen entirely
0
Joshua GrantomSenior Systems AdministratorCommented:
From what I can see in Active Administrator, you should be doing this in Security Group Filters. The only 2 groups the GPO should Apply to is

Domain Users
Domain Computers

Capture.PNG
0
J.R. SitmanIT DirectorAuthor Commented:
ok, got it figured out.  See attached. However, the GPO is still getting on the computer when I log on as Administrator.  I ran Gpresult /r and it is listed.
filter-security.png
0
Joshua GrantomSenior Systems AdministratorCommented:
is the account you are logging in with part of the Domain Users group?
0
J.R. SitmanIT DirectorAuthor Commented:
I just doubled checked and no it is not.
0
Joshua GrantomSenior Systems AdministratorCommented:
on the server you will need to do a gpupdate /force and possibly a restart before doing a gpresult /r to see the changes
0
J.R. SitmanIT DirectorAuthor Commented:
I did that.  It showed the GPO was applied to the computer I logged into.  I don't want it applied to Administrator user.
0
J.R. SitmanIT DirectorAuthor Commented:
no idea what you're suggesting
0
Joshua GrantomSenior Systems AdministratorCommented:
if its a computer configuration then you need to do item level targeting.
0
Joshua GrantomSenior Systems AdministratorCommented:
gpo.PNG
Are the settings under Computer Configuration or User Configuration? Depending on what they are under, depends on how you have to do it. I would suggest reading up on Active Administrator, Group Policy, and how policies are applied to computers and users.
0
J.R. SitmanIT DirectorAuthor Commented:
Computer.  See attached.  These are what I'm trying to manage.  How did you "paste" into the post?
gpo-settings.png
0
Joshua GrantomSenior Systems AdministratorCommented:
That setting is under Computer Configuration > Policies > Administrative Templates > System > User Profiles

This setting cannot be applied to only certain users. It will apply to all users who login no matter what.

If you can find similar settings under User Configuration > Policies > Administrative Templates > System > User Profiles then they would only apply to Domain Users but the way that policy is made will not allow it to apply to specific users.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Joshua GrantomSenior Systems AdministratorCommented:
Also, to embed a picture choose embed on the picture once you upload it

embed.PNG
gpo.PNG
0
J.R. SitmanIT DirectorAuthor Commented:
ok, we'll we've solved that.  Thanks for hanging in there.
0
J.R. SitmanIT DirectorAuthor Commented:
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.