Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Group Policy - Deny Enforcement on Certain Computers

Posted on 2014-12-22
4
Medium Priority
?
375 Views
Last Modified: 2014-12-22
I have a Windows Server 2008 R2 domain that I also have a custom group policy enforced. However, I do not want it to apply to any of the servers on the domain. I followed this Microsoft article for instructions: http://support.microsoft.com/kb/816100
1) I created a security group and added all of the servers to it (by name).
2) Under "Group Policy Management", I expanded "Group Policy Objects", highlighted the group policy I'm working with, and went to Delegation. I then clicked "Advanced", added the security group from step 1, and clicked "Deny" next to "Apply group policy". The window even put up an error that said deny would take precedence over allow, which I want in this case. So I confirmed and OK'ed out of all open windows.

However, all servers are still applying the group policy. Is there a bug or something I did wrong?
0
Comment
Question by:street9009
  • 2
  • 2
4 Comments
 
LVL 57

Expert Comment

by:McKnife
ID: 40512960
Hi.

"something I did wrong" - it depends if we are talking about a user or a computer GPO. If the config was done inside the user part, then it applies to users and denying it to servers then has no effect for users logging on to those servers.

But if your GPO distributes computer config settings, then what you did is correct. If still those settings apply, then either you have not run gpupdate on those servers or the policy settings are of a type that tattoo the registry.
More to follow after your feedback.
0
 

Author Comment

by:street9009
ID: 40513083
Okay that does make sense. I went over the "Settings" screen for the group policy and it does have some things defined under "User" and others under "Computer". The ones I could copy from "User" to "Computer" I did, but some policy settings aren't available under both "Computer Configuration" and "User Configuration".

Also, it appears that some that are defined under "Computer" are still applying anyway (ex.- policy to disable certain services). The one that I'm testing with right now is a Printer policy that puts a printer on every PC. That is only available under "User Configuration". I can disable it from applying to Administrator, which makes sense, but there is one Terminal Server that we'd like it not to apply to which any user can log in to.
0
 
LVL 57

Accepted Solution

by:
McKnife earned 2000 total points
ID: 40513148
The printer deployment policies are available in computer configuration, too.
You problem, applying user settings based on what machine the user logs on to, can be solved in two ways in addition: we can use GPO WMI filtering or group policy preferences' option of item level targeting (which is nothing but WMI filtering simplified), but we cannot do all settings with group policy preferences - but many.
If that is still not enough, you can look at what is called GPO loopback processing (LBP) which would mean to enable LBP at the terminal server and tell it not to use the user policy but the settings for users configured right at the server - this is very easy to do.
0
 

Author Closing Comment

by:street9009
ID: 40513455
You're right, I was looking in the wrong place. All but a few settings I can move to Computer Configuration as opposed to User Configuration and the ones that are left are of no consequence to the servers so that seems to work.

Thanks for your help!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question