Solved

Group Policy - Deny Enforcement on Certain Computers

Posted on 2014-12-22
4
347 Views
Last Modified: 2014-12-22
I have a Windows Server 2008 R2 domain that I also have a custom group policy enforced. However, I do not want it to apply to any of the servers on the domain. I followed this Microsoft article for instructions: http://support.microsoft.com/kb/816100
1) I created a security group and added all of the servers to it (by name).
2) Under "Group Policy Management", I expanded "Group Policy Objects", highlighted the group policy I'm working with, and went to Delegation. I then clicked "Advanced", added the security group from step 1, and clicked "Deny" next to "Apply group policy". The window even put up an error that said deny would take precedence over allow, which I want in this case. So I confirmed and OK'ed out of all open windows.

However, all servers are still applying the group policy. Is there a bug or something I did wrong?
0
Comment
Question by:street9009
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 40512960
Hi.

"something I did wrong" - it depends if we are talking about a user or a computer GPO. If the config was done inside the user part, then it applies to users and denying it to servers then has no effect for users logging on to those servers.

But if your GPO distributes computer config settings, then what you did is correct. If still those settings apply, then either you have not run gpupdate on those servers or the policy settings are of a type that tattoo the registry.
More to follow after your feedback.
0
 

Author Comment

by:street9009
ID: 40513083
Okay that does make sense. I went over the "Settings" screen for the group policy and it does have some things defined under "User" and others under "Computer". The ones I could copy from "User" to "Computer" I did, but some policy settings aren't available under both "Computer Configuration" and "User Configuration".

Also, it appears that some that are defined under "Computer" are still applying anyway (ex.- policy to disable certain services). The one that I'm testing with right now is a Printer policy that puts a printer on every PC. That is only available under "User Configuration". I can disable it from applying to Administrator, which makes sense, but there is one Terminal Server that we'd like it not to apply to which any user can log in to.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40513148
The printer deployment policies are available in computer configuration, too.
You problem, applying user settings based on what machine the user logs on to, can be solved in two ways in addition: we can use GPO WMI filtering or group policy preferences' option of item level targeting (which is nothing but WMI filtering simplified), but we cannot do all settings with group policy preferences - but many.
If that is still not enough, you can look at what is called GPO loopback processing (LBP) which would mean to enable LBP at the terminal server and tell it not to use the user policy but the settings for users configured right at the server - this is very easy to do.
0
 

Author Closing Comment

by:street9009
ID: 40513455
You're right, I was looking in the wrong place. All but a few settings I can move to Computer Configuration as opposed to User Configuration and the ones that are left are of no consequence to the servers so that seems to work.

Thanks for your help!
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question