?
Solved

How do you add exclusions to a GPO

Posted on 2014-07-31
44
Medium Priority
?
118 Views
Last Modified: 2014-08-07
I have a GPO that is linked to 2 servers.  It applies a Profile management software to all users that log on to either server.  I want to have it 'not" apply to the Administrators log in.

How?
0
Comment
Question by:J.R. Sitman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 22
  • 21
44 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 40232155
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40232211
Remove Authenticated Users from Security Filtering and Just add Domain Users or what ever group needs to have the GPO applied
0
 

Author Comment

by:J.R. Sitman
ID: 40233121
I'll try to get to this tonight after I read the article.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 

Author Comment

by:J.R. Sitman
ID: 40233290
I changed the Security settings and now the entire GPO is gone.  How is that possible? Can it be restored?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40233299
Where did you remove Authenticated Users from? Can you send a screenshot of it? It sounds like you removed it from the wrong area entirely.
0
 

Author Comment

by:J.R. Sitman
ID: 40233308
I use Active Administrator to manage the GPO's.  See screen shot.  I chose to modify Security Filters.  I added domain users and remove Authenticated Users.
AA.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40233311
You are probably going to have to use the standard Group Policy Management to add Authenticated Users back, Ive never used Active Administrator. I have no idea how it works or manages policies.
0
 

Author Comment

by:J.R. Sitman
ID: 40233319
The GPO isn't even there.  Is there a restore option in GPM
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40233327
There is a backup option that you can restore from if it is available.

http://technet.microsoft.com/en-us/library/cc755173.aspx
0
 

Author Comment

by:J.R. Sitman
ID: 40233333
Do you have any idea where the backups would default to?  Or what would be the name of the backup file?    Or the extension?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40233337
Im not sure where it would default to. Does Active Administrator have a backup option?

The policy may not be showing up because it looks like you removed Authenticated Users from standard security. Do you have a domain admin account that is also in the domain users group? Try to open Group Policy Management with an account that is in the Domain Users group and see if the policy is listed in there.
0
 

Author Comment

by:J.R. Sitman
ID: 40234398
I ran Gpresult /r see attached.  Anyway to unfilter it?
gpo-filtered.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40234412
Were you ever able to get the GPO to show back up in management?
0
 

Author Comment

by:J.R. Sitman
ID: 40234417
no
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40234420
did you try and open group policy management with an account that is part of the Domain Users group?
0
 

Author Comment

by:J.R. Sitman
ID: 40234434
Yes, it still doesn't show.  If I could find the default backup folder, then maybe I could restore it.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40234485
You will need to find the group policy that isnt showing in the

C:\Windows\Sysvol\{Domain}\Policies\ on the server. All of the policies are listed by GUID. You can probably find it by trying to open each folder, whichever one does not allow you to open is probably the one in question, you can also compare the GUID to the Unique ID in Active Administrator.

Once it is found, you can modify the permissions on the folder to re-add Authenticated Users. if it does not allow you to change the permissions, you must take ownership of the folder. Once it is listed in GPMC again you can edit it how you normally would.
0
 

Author Comment

by:J.R. Sitman
ID: 40234703
OK, making progress.  I definitely found the GPO.  I changed the security permissions.  I opened registry.pol and verified it was the correct policy.  However, it is still not listed in the GPMC.

What else can I try?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40234741
Are you opening GPMC on that specific server?
0
 

Author Comment

by:J.R. Sitman
ID: 40244987
yes opened it both on the DC and on the computer it was applied to.
0
 

Author Comment

by:J.R. Sitman
ID: 40244995
is it safe to delete the damaged policy manually from the policy folder?  See my post 40234398.  That's why I want to delete it.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245062
yes, you can delete it from the folder. It will take a while for the deletion to propagate to other DC's
0
 

Author Comment

by:J.R. Sitman
ID: 40245070
thanks.  I'll post tomorrow
0
 

Author Comment

by:J.R. Sitman
ID: 40245099
I'm going to create a test GPO and start over with the original part of this post.  Any suggestions on what I might have done wrong and deleted the GPO?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245104
It looked like you deleted authenticated users from security permissions instead of making it not apply to authenticated users
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245108
The policy should only apply to Domain Users, that will leave the admins out of it. How are you making it only apply to the 2 servers?
0
 

Author Comment

by:J.R. Sitman
ID: 40245113
Yes I deleted authenticated users.  I read the article slower this time.  I put the two servers in there own OU
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245127
Ok, if they are in their own OU then have it apply to Domain Users and Domain computers. This will make sure that both User and Computer settings will be applied.
0
 

Author Comment

by:J.R. Sitman
ID: 40245173
so uncheck these and add the others correct?  see attached.
gpo3.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245937
that is not where you apply policies, that is permission security. wrong screen entirely
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40245967
From what I can see in Active Administrator, you should be doing this in Security Group Filters. The only 2 groups the GPO should Apply to is

Domain Users
Domain Computers

Capture.PNG
0
 

Author Comment

by:J.R. Sitman
ID: 40246796
ok, got it figured out.  See attached. However, the GPO is still getting on the computer when I log on as Administrator.  I ran Gpresult /r and it is listed.
filter-security.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246801
is the account you are logging in with part of the Domain Users group?
0
 

Author Comment

by:J.R. Sitman
ID: 40246817
I just doubled checked and no it is not.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246843
on the server you will need to do a gpupdate /force and possibly a restart before doing a gpresult /r to see the changes
0
 

Author Comment

by:J.R. Sitman
ID: 40246849
I did that.  It showed the GPO was applied to the computer I logged into.  I don't want it applied to Administrator user.
0
 

Author Comment

by:J.R. Sitman
ID: 40246860
no idea what you're suggesting
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246854
if its a computer configuration then you need to do item level targeting.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246869
gpo.PNG
Are the settings under Computer Configuration or User Configuration? Depending on what they are under, depends on how you have to do it. I would suggest reading up on Active Administrator, Group Policy, and how policies are applied to computers and users.
0
 

Author Comment

by:J.R. Sitman
ID: 40246917
Computer.  See attached.  These are what I'm trying to manage.  How did you "paste" into the post?
gpo-settings.png
0
 
LVL 16

Accepted Solution

by:
Joshua Grantom earned 2000 total points
ID: 40246953
That setting is under Computer Configuration > Policies > Administrative Templates > System > User Profiles

This setting cannot be applied to only certain users. It will apply to all users who login no matter what.

If you can find similar settings under User Configuration > Policies > Administrative Templates > System > User Profiles then they would only apply to Domain Users but the way that policy is made will not allow it to apply to specific users.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40246960
Also, to embed a picture choose embed on the picture once you upload it

embed.PNG
gpo.PNG
0
 

Author Comment

by:J.R. Sitman
ID: 40246977
ok, we'll we've solved that.  Thanks for hanging in there.
0
 

Author Closing Comment

by:J.R. Sitman
ID: 40246979
Thanks
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question