Sign in with
Sign up | Sign in
Your question

Do not apply GPO to one machine in an OU

Last response: in Windows 2000/NT
Share
February 11, 2005 11:41:07 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

How can I not apply a GPO to one computer in my OU?

More about : apply gpo machine

Anonymous
February 11, 2005 8:58:21 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

1. Create a security group for computers to which you want to apply GPO,
2. put all but one computer (the one that you don't want GPO to be applied
to) in that security groups,
3. edit GPO security settings and remove Authenticated users from reading
and applying GPO's
4. Add your security group rights to read and apply GPO

--
Regards

Matjaz Ladava, ladava.com
MCSA, MCSE, MCT
Microsoft MVP Windows Server - Directory Services
e-mail: matjaz@ladava.com, matjazl@mvps.org

"Greg" <Greg@discussions.microsoft.com> wrote in message
news:7DFF0537-8ACB-4D5B-A049-3749310500C2@microsoft.com...
> How can I not apply a GPO to one computer in my OU?
Anonymous
February 14, 2005 6:13:10 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

On Fri, 11 Feb 2005 17:58:21 +0100, Matjaz Ladava [MVP] wrote:

> 1. Create a security group for computers to which you want to apply GPO,
> 2. put all but one computer (the one that you don't want GPO to be applied
> to) in that security groups,
> 3. edit GPO security settings and remove Authenticated users from reading
> and applying GPO's
> 4. Add your security group rights to read and apply GPO

Alternatively, and perhaps more simply ...

1) Create a security group for the computer(s) you don't wish to apply the
GPO to.
2) Edit the GPO's delegation tab (Advanced) and Add a Deny Apply for that
group.

Cheers,

Kenny.
Related resources
Anonymous
February 14, 2005 10:12:08 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I usually like to avoid using DENY.......you end up getting a lot of log
events - among other things.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Kenneth MacDonald" <K.MacDonald@ed.ac.uk> wrote in message
news:p an.2005.02.14.15.13.09.984506@ed.ac.uk...
> On Fri, 11 Feb 2005 17:58:21 +0100, Matjaz Ladava [MVP] wrote:
>
>> 1. Create a security group for computers to which you want to apply GPO,
>> 2. put all but one computer (the one that you don't want GPO to be
>> applied
>> to) in that security groups,
>> 3. edit GPO security settings and remove Authenticated users from reading
>> and applying GPO's
>> 4. Add your security group rights to read and apply GPO
>
> Alternatively, and perhaps more simply ...
>
> 1) Create a security group for the computer(s) you don't wish to apply the
> GPO to.
> 2) Edit the GPO's delegation tab (Advanced) and Add a Deny Apply for that
> group.
>
> Cheers,
>
> Kenny.
>
>
November 16, 2009 1:33:23 PM

If organisation is not very small there is propably coming new computer accounts which all must be added in case that new SG is used instead of auth.users.

Deny rule works and is steady. It's the reason why denying GPO's is made possible.
!