Solved

How to prevent a group policy from applying to Terminal Server

Posted on 2014-09-15
4
115 Views
Last Modified: 2015-06-27
i need to prevent 1 group policy from applying to server. I have attached a picture of how my group policy's and OU's looks.

in this picture, i need the Terminal Server OU to not apply the group policy called Printers.
However, i need Terminal Server OU to still apply Baseline - Servers GPO and Default Domain Policy GPO

Now the trick here, is that im setting up group policy printers from the User Configuration. So im having an issue blocking those GPO's from applying on the Terminal Server.

How should i do this?
Capture.PNG
0
Comment
Question by:GTechForce
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 25

Expert Comment

by:Sekar Chinnakannu
ID: 40324517
Create two separate OU's and link the policies based on your requirement. In your scenario create Terminal Server OU and  link Baseline - Servers GPO and Default Domain Policy GPO etc... If need you can block the inheritance too.
0
 
LVL 23

Accepted Solution

by:
yo_bee earned 500 total points
ID: 40329526
Are these User's or Computer settings?
That was not stated in the question. What setting/settings are you looking to not apply?
This will determine how to address the request.

1: If this is computer based setting and it needs to apply to other servers or computers you can link the GPO to the OU that has the clients computer and server, while your TS servers must reside in an OU at the same level as the Computers and Servers. Your TS OU needs to be moved up one level.
Link the GPO to Computers and Servers, but not to the TS OU.
If you are dealing with a single TS or even a few you can us WMI filter if your servers have a similar naming pattern.  FirmTS01 and FirmTS02  you can create a WMI filter that looks like this.

Select * from Win32_ComputerSystem where name not like 'FirmTS%'  

Open in new window


Another is to deny apply GPO :  

Click on the GPO and select the Delegates Tab > Click Advance Button in the lower right corner.
Then Add the computer object and deny Apply GPO
This setting can be applied to Computer, Users or Groups.
123456
Now if you are dealing with a user setting you will need to leverage loop.
Figure how to reverse the setting/settings that apply to computers and server.

Group Policy Preferences (GPP)
http://www.experts-exchange.com/Software/Server_Software/Active_Directory/A_11321-Deploying-Printers-using-Group-Policy-Preferences.html
This article explains how to leverage GPP and Item Level Targeting.
You can modify the filter by changing Security Group and select ComputerName and apply Name Not Like FirmTS*

Thanks
Mike
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40854380
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

An article on effective troubleshooting
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question