Solved

How do you add exclusions to a GPO

Posted on 2014-07-31
44
103 Views
Last Modified: 2014-08-07
I have a GPO that is linked to 2 servers.  It applies a Profile management software to all users that log on to either server.  I want to have it 'not" apply to the Administrators log in.

How?
0
Comment
Question by:jrsitman
  • 22
  • 21
44 Comments
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
Remove Authenticated Users from Security Filtering and Just add Domain Users or what ever group needs to have the GPO applied
0
 

Author Comment

by:jrsitman
Comment Utility
I'll try to get to this tonight after I read the article.
0
 

Author Comment

by:jrsitman
Comment Utility
I changed the Security settings and now the entire GPO is gone.  How is that possible? Can it be restored?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
Where did you remove Authenticated Users from? Can you send a screenshot of it? It sounds like you removed it from the wrong area entirely.
0
 

Author Comment

by:jrsitman
Comment Utility
I use Active Administrator to manage the GPO's.  See screen shot.  I chose to modify Security Filters.  I added domain users and remove Authenticated Users.
AA.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
You are probably going to have to use the standard Group Policy Management to add Authenticated Users back, Ive never used Active Administrator. I have no idea how it works or manages policies.
0
 

Author Comment

by:jrsitman
Comment Utility
The GPO isn't even there.  Is there a restore option in GPM
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
There is a backup option that you can restore from if it is available.

http://technet.microsoft.com/en-us/library/cc755173.aspx
0
 

Author Comment

by:jrsitman
Comment Utility
Do you have any idea where the backups would default to?  Or what would be the name of the backup file?    Or the extension?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
Im not sure where it would default to. Does Active Administrator have a backup option?

The policy may not be showing up because it looks like you removed Authenticated Users from standard security. Do you have a domain admin account that is also in the domain users group? Try to open Group Policy Management with an account that is in the Domain Users group and see if the policy is listed in there.
0
 

Author Comment

by:jrsitman
Comment Utility
I ran Gpresult /r see attached.  Anyway to unfilter it?
gpo-filtered.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
Were you ever able to get the GPO to show back up in management?
0
 

Author Comment

by:jrsitman
Comment Utility
no
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
did you try and open group policy management with an account that is part of the Domain Users group?
0
 

Author Comment

by:jrsitman
Comment Utility
Yes, it still doesn't show.  If I could find the default backup folder, then maybe I could restore it.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
You will need to find the group policy that isnt showing in the

C:\Windows\Sysvol\{Domain}\Policies\ on the server. All of the policies are listed by GUID. You can probably find it by trying to open each folder, whichever one does not allow you to open is probably the one in question, you can also compare the GUID to the Unique ID in Active Administrator.

Once it is found, you can modify the permissions on the folder to re-add Authenticated Users. if it does not allow you to change the permissions, you must take ownership of the folder. Once it is listed in GPMC again you can edit it how you normally would.
0
 

Author Comment

by:jrsitman
Comment Utility
OK, making progress.  I definitely found the GPO.  I changed the security permissions.  I opened registry.pol and verified it was the correct policy.  However, it is still not listed in the GPMC.

What else can I try?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
Are you opening GPMC on that specific server?
0
 

Author Comment

by:jrsitman
Comment Utility
yes opened it both on the DC and on the computer it was applied to.
0
 

Author Comment

by:jrsitman
Comment Utility
is it safe to delete the damaged policy manually from the policy folder?  See my post 40234398.  That's why I want to delete it.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
yes, you can delete it from the folder. It will take a while for the deletion to propagate to other DC's
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:jrsitman
Comment Utility
thanks.  I'll post tomorrow
0
 

Author Comment

by:jrsitman
Comment Utility
I'm going to create a test GPO and start over with the original part of this post.  Any suggestions on what I might have done wrong and deleted the GPO?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
It looked like you deleted authenticated users from security permissions instead of making it not apply to authenticated users
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
The policy should only apply to Domain Users, that will leave the admins out of it. How are you making it only apply to the 2 servers?
0
 

Author Comment

by:jrsitman
Comment Utility
Yes I deleted authenticated users.  I read the article slower this time.  I put the two servers in there own OU
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
Ok, if they are in their own OU then have it apply to Domain Users and Domain computers. This will make sure that both User and Computer settings will be applied.
0
 

Author Comment

by:jrsitman
Comment Utility
so uncheck these and add the others correct?  see attached.
gpo3.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
that is not where you apply policies, that is permission security. wrong screen entirely
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
From what I can see in Active Administrator, you should be doing this in Security Group Filters. The only 2 groups the GPO should Apply to is

Domain Users
Domain Computers

Capture.PNG
0
 

Author Comment

by:jrsitman
Comment Utility
ok, got it figured out.  See attached. However, the GPO is still getting on the computer when I log on as Administrator.  I ran Gpresult /r and it is listed.
filter-security.png
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
is the account you are logging in with part of the Domain Users group?
0
 

Author Comment

by:jrsitman
Comment Utility
I just doubled checked and no it is not.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
on the server you will need to do a gpupdate /force and possibly a restart before doing a gpresult /r to see the changes
0
 

Author Comment

by:jrsitman
Comment Utility
I did that.  It showed the GPO was applied to the computer I logged into.  I don't want it applied to Administrator user.
0
 

Author Comment

by:jrsitman
Comment Utility
no idea what you're suggesting
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
if its a computer configuration then you need to do item level targeting.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
gpo.PNG
Are the settings under Computer Configuration or User Configuration? Depending on what they are under, depends on how you have to do it. I would suggest reading up on Active Administrator, Group Policy, and how policies are applied to computers and users.
0
 

Author Comment

by:jrsitman
Comment Utility
Computer.  See attached.  These are what I'm trying to manage.  How did you "paste" into the post?
gpo-settings.png
0
 
LVL 16

Accepted Solution

by:
Joshua Grantom earned 500 total points
Comment Utility
That setting is under Computer Configuration > Policies > Administrative Templates > System > User Profiles

This setting cannot be applied to only certain users. It will apply to all users who login no matter what.

If you can find similar settings under User Configuration > Policies > Administrative Templates > System > User Profiles then they would only apply to Domain Users but the way that policy is made will not allow it to apply to specific users.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
Comment Utility
Also, to embed a picture choose embed on the picture once you upload it

embed.PNG
gpo.PNG
0
 

Author Comment

by:jrsitman
Comment Utility
ok, we'll we've solved that.  Thanks for hanging in there.
0
 

Author Closing Comment

by:jrsitman
Comment Utility
Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now