Do not apply GPO to one machine in an OU

Archived from groups: microsoft.public.win2000.active_directory (More info?)

How can I not apply a GPO to one computer in my OU?
4 answers Last reply
More about apply machine
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    1. Create a security group for computers to which you want to apply GPO,
    2. put all but one computer (the one that you don't want GPO to be applied
    to) in that security groups,
    3. edit GPO security settings and remove Authenticated users from reading
    and applying GPO's
    4. Add your security group rights to read and apply GPO

    --
    Regards

    Matjaz Ladava, ladava.com
    MCSA, MCSE, MCT
    Microsoft MVP Windows Server - Directory Services
    e-mail: matjaz@ladava.com, matjazl@mvps.org

    "Greg" <Greg@discussions.microsoft.com> wrote in message
    news:7DFF0537-8ACB-4D5B-A049-3749310500C2@microsoft.com...
    > How can I not apply a GPO to one computer in my OU?
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    On Fri, 11 Feb 2005 17:58:21 +0100, Matjaz Ladava [MVP] wrote:

    > 1. Create a security group for computers to which you want to apply GPO,
    > 2. put all but one computer (the one that you don't want GPO to be applied
    > to) in that security groups,
    > 3. edit GPO security settings and remove Authenticated users from reading
    > and applying GPO's
    > 4. Add your security group rights to read and apply GPO

    Alternatively, and perhaps more simply ...

    1) Create a security group for the computer(s) you don't wish to apply the
    GPO to.
    2) Edit the GPO's delegation tab (Advanced) and Add a Deny Apply for that
    group.

    Cheers,

    Kenny.
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I usually like to avoid using DENY.......you end up getting a lot of log
    events - among other things.

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Kenneth MacDonald" <K.MacDonald@ed.ac.uk> wrote in message
    news:pan.2005.02.14.15.13.09.984506@ed.ac.uk...
    > On Fri, 11 Feb 2005 17:58:21 +0100, Matjaz Ladava [MVP] wrote:
    >
    >> 1. Create a security group for computers to which you want to apply GPO,
    >> 2. put all but one computer (the one that you don't want GPO to be
    >> applied
    >> to) in that security groups,
    >> 3. edit GPO security settings and remove Authenticated users from reading
    >> and applying GPO's
    >> 4. Add your security group rights to read and apply GPO
    >
    > Alternatively, and perhaps more simply ...
    >
    > 1) Create a security group for the computer(s) you don't wish to apply the
    > GPO to.
    > 2) Edit the GPO's delegation tab (Advanced) and Add a Deny Apply for that
    > group.
    >
    > Cheers,
    >
    > Kenny.
    >
    >
  4. If organisation is not very small there is propably coming new computer accounts which all must be added in case that new SG is used instead of auth.users.

    Deny rule works and is steady. It's the reason why denying GPO's is made possible.
Ask a new question

Read More

Computers Microsoft Active Directory Windows