Solved

Group Policy - Deny Enforcement on Certain Computers

Posted on 2014-12-22
4
324 Views
Last Modified: 2014-12-22
I have a Windows Server 2008 R2 domain that I also have a custom group policy enforced. However, I do not want it to apply to any of the servers on the domain. I followed this Microsoft article for instructions: http://support.microsoft.com/kb/816100
1) I created a security group and added all of the servers to it (by name).
2) Under "Group Policy Management", I expanded "Group Policy Objects", highlighted the group policy I'm working with, and went to Delegation. I then clicked "Advanced", added the security group from step 1, and clicked "Deny" next to "Apply group policy". The window even put up an error that said deny would take precedence over allow, which I want in this case. So I confirmed and OK'ed out of all open windows.

However, all servers are still applying the group policy. Is there a bug or something I did wrong?
0
Comment
Question by:street9009
  • 2
  • 2
4 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 40512960
Hi.

"something I did wrong" - it depends if we are talking about a user or a computer GPO. If the config was done inside the user part, then it applies to users and denying it to servers then has no effect for users logging on to those servers.

But if your GPO distributes computer config settings, then what you did is correct. If still those settings apply, then either you have not run gpupdate on those servers or the policy settings are of a type that tattoo the registry.
More to follow after your feedback.
0
 

Author Comment

by:street9009
ID: 40513083
Okay that does make sense. I went over the "Settings" screen for the group policy and it does have some things defined under "User" and others under "Computer". The ones I could copy from "User" to "Computer" I did, but some policy settings aren't available under both "Computer Configuration" and "User Configuration".

Also, it appears that some that are defined under "Computer" are still applying anyway (ex.- policy to disable certain services). The one that I'm testing with right now is a Printer policy that puts a printer on every PC. That is only available under "User Configuration". I can disable it from applying to Administrator, which makes sense, but there is one Terminal Server that we'd like it not to apply to which any user can log in to.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40513148
The printer deployment policies are available in computer configuration, too.
You problem, applying user settings based on what machine the user logs on to, can be solved in two ways in addition: we can use GPO WMI filtering or group policy preferences' option of item level targeting (which is nothing but WMI filtering simplified), but we cannot do all settings with group policy preferences - but many.
If that is still not enough, you can look at what is called GPO loopback processing (LBP) which would mean to enable LBP at the terminal server and tell it not to use the user policy but the settings for users configured right at the server - this is very easy to do.
0
 

Author Closing Comment

by:street9009
ID: 40513455
You're right, I was looking in the wrong place. All but a few settings I can move to Computer Configuration as opposed to User Configuration and the ones that are left are of no consequence to the servers so that seems to work.

Thanks for your help!
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AD RMS - Exchange 2010 3 37
AD LDAP LDS 3 47
cant install rsat on win 7 13 43
active directory 6 74
OfficeMate Freezes on login or does not load after login credentials are input.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now