Administration of Active Directory does not have to be hard. Too often what should be a simple task is made more difficult than it needs to be.The solution? Hyena from SystemTools Software. With ease-of-use as well as powerful importing and bulk updating capabilities.
How can I apply a Group Policy to all users except the administrator and only on specified computers?
I want to apply a group policy (using a Windows Server 2008 R2 Domain Controller) only to specified computers (either specified by a list of computer names or by specifying all Server 2008 R2 computers) and only for all users that aren't the administrator. Is this possible? How can I do this?
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
You can deploy a policy By either "User" or "Computer" from reading the above i would create the GPO around the computer account. Ensure all computers are either in the same container or you will need to apply the policy at top level. If there are multiple computers you would like this to be applied to then Create a Group and add all computers to the named Group for easy management.
When you have build the policy attach it at the top OU level that encompass all computers you would like to manage and then within GPO manager when you have build the policy within the Scope Tab > Security filtering (at the bottom) add the computer group you created here and the policy to have created will apply to all computers within that group.
When you have build the policy attach it at the top OU level that encompass all computers you would like to manage and then within GPO manager when you have build the policy within the Scope Tab > Security filtering (at the bottom) add the computer group you created here and the policy to have created will apply to all computers within that group.
Thomas -
Thank you. That was helpful. I see how to specify all Server 2008 R2 computers, but how would I specify all users that aren't administrator?
Thank you. That was helpful. I see how to specify all Server 2008 R2 computers, but how would I specify all users that aren't administrator?
so there you would need to follow the instruction set from Thomas around the WMI filtering. It may look daunting but have a read of his Link and this should point you in the right direction. You then may need to build the GPO slightly different but the theory base there is good for you.
Are you asking how to check who in AD is not an administrator?
Or do you need to exclude the administrator?
You can make all no admins a group then use WMI filter to select that group
Or do you need to exclude the administrator?
You can make all no admins a group then use WMI filter to select that group
If I put the groups "User List 1" and "Computer List 1" in Security Filtering, will the GPO :
1.) only be applied to a User from "User LIst 1" logging into a computer from "Computer List 1"
or
2.) be applied whenever a user from "User List 1" logs into any computer and whenever any user logs into a computer from "Computer List 1"
or
3.) the computer settings will be applied to any computer in "Computer List 1" and the user settings will be applied to any user in "User List 1"
1.) only be applied to a User from "User LIst 1" logging into a computer from "Computer List 1"
or
2.) be applied whenever a user from "User List 1" logs into any computer and whenever any user logs into a computer from "Computer List 1"
or
3.) the computer settings will be applied to any computer in "Computer List 1" and the user settings will be applied to any user in "User List 1"
That last post was a separate question. Sorry if that made it confusing. To answer your question, I want to just exclude the administrator, but don't want to manually create and maintain a group of every user that isn't an administrator. Is there a way to create a group for "every user but administrator" (i.e. instead of specifying every user that belongs to the group, specify the one user that doesn't belong to the group)? Or would I do that in a select statement via WMI?
you can just exclude the Administrator using WMI
Look at Domain Users group.
We always keep domain admins administrator separate from the users in the domain
Groups are the best way to do that.
Look at Domain Users group.
We always keep domain admins administrator separate from the users in the domain
Groups are the best way to do that.
administrator is a member of "domain users". Are you recommending that I delete administrator from this group? And are you also recommending that any user in the "Domain Admins" group be removed from the "domain users" group?
What would the WMI select statement be to select all users but administrator?
Also, I only want to apply *user settings* to Server 2008 computers (and only if the user isn't administrator). If user filtering is for user setting and computer filtering is for computer settings, I still don't understand how I could make this work. Is it possible?
What would the WMI select statement be to select all users but administrator?
Also, I only want to apply *user settings* to Server 2008 computers (and only if the user isn't administrator). If user filtering is for user setting and computer filtering is for computer settings, I still don't understand how I could make this work. Is it possible?
try something like this
Select * FROM Win32_ComputerSystem WHERE UserName <> "domainName\UserName"
Also no do not remove those users from the default groups
Best to create a new group and put all non admins in that group
HTH
Select * FROM Win32_ComputerSystem WHERE UserName <> "domainName\UserName"
Also no do not remove those users from the default groups
Best to create a new group and put all non admins in that group
HTH
WMI Filters are not the most simplistic approach here. They also slow down the logon process as well as it has to query against machines to see if it matches the query.
Your best bet would be to create a Security Group -> add all of your computers to this new group -> set the security filtering on the GPO to point to the new group -> link the GPO to whatever OU's the computers are in
If they are in multiple different OU's then link it once at the domain level.
Thats it.
Will.
Your best bet would be to create a Security Group -> add all of your computers to this new group -> set the security filtering on the GPO to point to the new group -> link the GPO to whatever OU's the computers are in
If they are in multiple different OU's then link it once at the domain level.
Thats it.
Will.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
see this https://technet.microsoft.com/en-us/library/cc947846(v=ws.10).aspx
HTH