Solved

How do you add exclusions to a GPO

Posted on 2014-07-31
44
113 Views
Last Modified: 2014-08-07
I have a GPO that is linked to 2 servers.  It applies a Profile management software to all users that log on to either server.  I want to have it 'not" apply to the Administrators log in.

How?
0
Comment
Question by:J.R. Sitman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 22
  • 21
44 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 40232155
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40232211
Remove Authenticated Users from Security Filtering and Just add Domain Users or what ever group needs to have the GPO applied
0
 

Author Comment

by:J.R. Sitman
ID: 40233121
I'll try to get to this tonight after I read the article.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:J.R. Sitman
ID: 40233290
I changed the Security settings and now the entire GPO is gone.  How is that possible? Can it be restored?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40233299
Where did you remove Authenticated Users from? Can you send a screenshot of it? It sounds like you removed it from the wrong area entirely.
0
 

Author Comment

by:J.R. Sitman
ID: 40233308
I use Active Administrator to manage the GPO's.  See screen shot.  I chose to modify Security Filters.  I added domain users and remove Authenticated Users.
AA.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40233311
You are probably going to have to use the standard Group Policy Management to add Authenticated Users back, Ive never used Active Administrator. I have no idea how it works or manages policies.
0
 

Author Comment

by:J.R. Sitman
ID: 40233319
The GPO isn't even there.  Is there a restore option in GPM
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40233327
There is a backup option that you can restore from if it is available.

http://technet.microsoft.com/en-us/library/cc755173.aspx
0
 

Author Comment

by:J.R. Sitman
ID: 40233333
Do you have any idea where the backups would default to?  Or what would be the name of the backup file?    Or the extension?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40233337
Im not sure where it would default to. Does Active Administrator have a backup option?

The policy may not be showing up because it looks like you removed Authenticated Users from standard security. Do you have a domain admin account that is also in the domain users group? Try to open Group Policy Management with an account that is in the Domain Users group and see if the policy is listed in there.
0
 

Author Comment

by:J.R. Sitman
ID: 40234398
I ran Gpresult /r see attached.  Anyway to unfilter it?
gpo-filtered.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40234412
Were you ever able to get the GPO to show back up in management?
0
 

Author Comment

by:J.R. Sitman
ID: 40234417
no
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40234420
did you try and open group policy management with an account that is part of the Domain Users group?
0
 

Author Comment

by:J.R. Sitman
ID: 40234434
Yes, it still doesn't show.  If I could find the default backup folder, then maybe I could restore it.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40234485
You will need to find the group policy that isnt showing in the

C:\Windows\Sysvol\{Domain}\Policies\ on the server. All of the policies are listed by GUID. You can probably find it by trying to open each folder, whichever one does not allow you to open is probably the one in question, you can also compare the GUID to the Unique ID in Active Administrator.

Once it is found, you can modify the permissions on the folder to re-add Authenticated Users. if it does not allow you to change the permissions, you must take ownership of the folder. Once it is listed in GPMC again you can edit it how you normally would.
0
 

Author Comment

by:J.R. Sitman
ID: 40234703
OK, making progress.  I definitely found the GPO.  I changed the security permissions.  I opened registry.pol and verified it was the correct policy.  However, it is still not listed in the GPMC.

What else can I try?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40234741
Are you opening GPMC on that specific server?
0
 

Author Comment

by:J.R. Sitman
ID: 40244987
yes opened it both on the DC and on the computer it was applied to.
0
 

Author Comment

by:J.R. Sitman
ID: 40244995
is it safe to delete the damaged policy manually from the policy folder?  See my post 40234398.  That's why I want to delete it.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245062
yes, you can delete it from the folder. It will take a while for the deletion to propagate to other DC's
0
 

Author Comment

by:J.R. Sitman
ID: 40245070
thanks.  I'll post tomorrow
0
 

Author Comment

by:J.R. Sitman
ID: 40245099
I'm going to create a test GPO and start over with the original part of this post.  Any suggestions on what I might have done wrong and deleted the GPO?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245104
It looked like you deleted authenticated users from security permissions instead of making it not apply to authenticated users
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245108
The policy should only apply to Domain Users, that will leave the admins out of it. How are you making it only apply to the 2 servers?
0
 

Author Comment

by:J.R. Sitman
ID: 40245113
Yes I deleted authenticated users.  I read the article slower this time.  I put the two servers in there own OU
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245127
Ok, if they are in their own OU then have it apply to Domain Users and Domain computers. This will make sure that both User and Computer settings will be applied.
0
 

Author Comment

by:J.R. Sitman
ID: 40245173
so uncheck these and add the others correct?  see attached.
gpo3.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245937
that is not where you apply policies, that is permission security. wrong screen entirely
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245967
From what I can see in Active Administrator, you should be doing this in Security Group Filters. The only 2 groups the GPO should Apply to is

Domain Users
Domain Computers

Capture.PNG
0
 

Author Comment

by:J.R. Sitman
ID: 40246796
ok, got it figured out.  See attached. However, the GPO is still getting on the computer when I log on as Administrator.  I ran Gpresult /r and it is listed.
filter-security.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246801
is the account you are logging in with part of the Domain Users group?
0
 

Author Comment

by:J.R. Sitman
ID: 40246817
I just doubled checked and no it is not.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246843
on the server you will need to do a gpupdate /force and possibly a restart before doing a gpresult /r to see the changes
0
 

Author Comment

by:J.R. Sitman
ID: 40246849
I did that.  It showed the GPO was applied to the computer I logged into.  I don't want it applied to Administrator user.
0
 

Author Comment

by:J.R. Sitman
ID: 40246860
no idea what you're suggesting
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246854
if its a computer configuration then you need to do item level targeting.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246869
gpo.PNG
Are the settings under Computer Configuration or User Configuration? Depending on what they are under, depends on how you have to do it. I would suggest reading up on Active Administrator, Group Policy, and how policies are applied to computers and users.
0
 

Author Comment

by:J.R. Sitman
ID: 40246917
Computer.  See attached.  These are what I'm trying to manage.  How did you "paste" into the post?
gpo-settings.png
0
 
LVL 16

Accepted Solution

by:
Joshua Grantom earned 500 total points
ID: 40246953
That setting is under Computer Configuration > Policies > Administrative Templates > System > User Profiles

This setting cannot be applied to only certain users. It will apply to all users who login no matter what.

If you can find similar settings under User Configuration > Policies > Administrative Templates > System > User Profiles then they would only apply to Domain Users but the way that policy is made will not allow it to apply to specific users.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246960
Also, to embed a picture choose embed on the picture once you upload it

embed.PNG
gpo.PNG
0
 

Author Comment

by:J.R. Sitman
ID: 40246977
ok, we'll we've solved that.  Thanks for hanging in there.
0
 

Author Closing Comment

by:J.R. Sitman
ID: 40246979
Thanks
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question