Solved

Group Policy - Deny Enforcement on Certain Computers

Posted on 2014-12-22
4
319 Views
Last Modified: 2014-12-22
I have a Windows Server 2008 R2 domain that I also have a custom group policy enforced. However, I do not want it to apply to any of the servers on the domain. I followed this Microsoft article for instructions: http://support.microsoft.com/kb/816100
1) I created a security group and added all of the servers to it (by name).
2) Under "Group Policy Management", I expanded "Group Policy Objects", highlighted the group policy I'm working with, and went to Delegation. I then clicked "Advanced", added the security group from step 1, and clicked "Deny" next to "Apply group policy". The window even put up an error that said deny would take precedence over allow, which I want in this case. So I confirmed and OK'ed out of all open windows.

However, all servers are still applying the group policy. Is there a bug or something I did wrong?
0
Comment
Question by:street9009
  • 2
  • 2
4 Comments
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Hi.

"something I did wrong" - it depends if we are talking about a user or a computer GPO. If the config was done inside the user part, then it applies to users and denying it to servers then has no effect for users logging on to those servers.

But if your GPO distributes computer config settings, then what you did is correct. If still those settings apply, then either you have not run gpupdate on those servers or the policy settings are of a type that tattoo the registry.
More to follow after your feedback.
0
 

Author Comment

by:street9009
Comment Utility
Okay that does make sense. I went over the "Settings" screen for the group policy and it does have some things defined under "User" and others under "Computer". The ones I could copy from "User" to "Computer" I did, but some policy settings aren't available under both "Computer Configuration" and "User Configuration".

Also, it appears that some that are defined under "Computer" are still applying anyway (ex.- policy to disable certain services). The one that I'm testing with right now is a Printer policy that puts a printer on every PC. That is only available under "User Configuration". I can disable it from applying to Administrator, which makes sense, but there is one Terminal Server that we'd like it not to apply to which any user can log in to.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
Comment Utility
The printer deployment policies are available in computer configuration, too.
You problem, applying user settings based on what machine the user logs on to, can be solved in two ways in addition: we can use GPO WMI filtering or group policy preferences' option of item level targeting (which is nothing but WMI filtering simplified), but we cannot do all settings with group policy preferences - but many.
If that is still not enough, you can look at what is called GPO loopback processing (LBP) which would mean to enable LBP at the terminal server and tell it not to use the user policy but the settings for users configured right at the server - this is very easy to do.
0
 

Author Closing Comment

by:street9009
Comment Utility
You're right, I was looking in the wrong place. All but a few settings I can move to Computer Configuration as opposed to User Configuration and the ones that are left are of no consequence to the servers so that seems to work.

Thanks for your help!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now