Solved

Group Policy - Deny Enforcement on Certain Computers

Posted on 2014-12-22
4
340 Views
Last Modified: 2014-12-22
I have a Windows Server 2008 R2 domain that I also have a custom group policy enforced. However, I do not want it to apply to any of the servers on the domain. I followed this Microsoft article for instructions: http://support.microsoft.com/kb/816100
1) I created a security group and added all of the servers to it (by name).
2) Under "Group Policy Management", I expanded "Group Policy Objects", highlighted the group policy I'm working with, and went to Delegation. I then clicked "Advanced", added the security group from step 1, and clicked "Deny" next to "Apply group policy". The window even put up an error that said deny would take precedence over allow, which I want in this case. So I confirmed and OK'ed out of all open windows.

However, all servers are still applying the group policy. Is there a bug or something I did wrong?
0
Comment
Question by:street9009
  • 2
  • 2
4 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 40512960
Hi.

"something I did wrong" - it depends if we are talking about a user or a computer GPO. If the config was done inside the user part, then it applies to users and denying it to servers then has no effect for users logging on to those servers.

But if your GPO distributes computer config settings, then what you did is correct. If still those settings apply, then either you have not run gpupdate on those servers or the policy settings are of a type that tattoo the registry.
More to follow after your feedback.
0
 

Author Comment

by:street9009
ID: 40513083
Okay that does make sense. I went over the "Settings" screen for the group policy and it does have some things defined under "User" and others under "Computer". The ones I could copy from "User" to "Computer" I did, but some policy settings aren't available under both "Computer Configuration" and "User Configuration".

Also, it appears that some that are defined under "Computer" are still applying anyway (ex.- policy to disable certain services). The one that I'm testing with right now is a Printer policy that puts a printer on every PC. That is only available under "User Configuration". I can disable it from applying to Administrator, which makes sense, but there is one Terminal Server that we'd like it not to apply to which any user can log in to.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40513148
The printer deployment policies are available in computer configuration, too.
You problem, applying user settings based on what machine the user logs on to, can be solved in two ways in addition: we can use GPO WMI filtering or group policy preferences' option of item level targeting (which is nothing but WMI filtering simplified), but we cannot do all settings with group policy preferences - but many.
If that is still not enough, you can look at what is called GPO loopback processing (LBP) which would mean to enable LBP at the terminal server and tell it not to use the user policy but the settings for users configured right at the server - this is very easy to do.
0
 

Author Closing Comment

by:street9009
ID: 40513455
You're right, I was looking in the wrong place. All but a few settings I can move to Computer Configuration as opposed to User Configuration and the ones that are left are of no consequence to the servers so that seems to work.

Thanks for your help!
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question