Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Perhaps I don't understand everything here, but if you use the GPMC
Delegation tab, you can adjust who can do what to the GPO. One of the
available "permissions" is "Apply Group Policy". If this permission is set
to "Deny" for a particular user account or group, the GPO will not be
applied to that user or the members of that group.
1. select the GPO in the left pane of GPMC
2. select the Delegation tab
3. click the Advanced button at the bottom right
4. if the group you want the GPO NOT to apply to is already present select
it. If the group is not present, use the Add button and add it and make it
the selected group
5. add a check mark to the Deny column on the Apply Group Policy row
6. click OK
Now, any member of the group that has Deny - Apply Group Policy setting will
not have the settings in this particular GPO applied to them even if their
user account is in the "Scope" of the GPO.
http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp#heading6
describes this approach, but using the default Group Policy tool from Active
Directory and Computers MMC snap-in (that is replaced when GPMC is
installed). My understanding is that the steps above are the GPMC
equivalent steps to what is described in this document.
See also
http://support.microsoft.com/default.aspx?scid=kb;en-us;q315675&sd=tech.
Note that if the user (or users) are in an OU that is NOT in the scope of
the GPO, adjusting the "Apply Group Policy" permission will not have any
affect because the GPO won't be selected for processing for that user in the
first place. You can't force a GPO to be applied to a user via the GPO
permissions, you can only prevent it from applying to users that would
otherwise have it applied because of the user's account location in the OU
hierarchy.
Keep in mind that only the User Configuration settings are applied on a per
user basis. Settings in the Computer Configuration part of a GPO apply to a
computer no matter who logs on at it.
--
Bruce Sanderson MVP
It is perfectly useless to know the right answer to the wrong question.
"Brian Jorgenson" <bjorgenson@charter.net> wrote in message
news:34ec3ea7.0408270859.4d8feea8@posting.google.com...
> "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
> news:<eRK4eC9iEHA.1712@TK2MSFTNGP09.phx.gbl>...
>> Hi Brian
>>
>> I'm not sure what the distinction is. Can you explain the two methods
>> you're attempting to use in more detail?
>
> Here is the scoop: i am using Microsoft's Group Policy Management
> Tool. On the Scope tab where you can use security filterting, it
> specifically says that you can add a group, user, or computer for
> filtering. If I had a group, it does not work. It only works on users
> and computers. If I had builtin groups like Domain Users, Domain
> Admins, then those groups work but any group I create will not work.
> What am I missing?
>>
>> Kind regards
>> --
>> Mark Renoden [MSFT]
>> Windows Platform Support Team
>> Email: markreno@online.microsoft.com
>>
>> Please note you'll need to strip ".online" from my email address to email
>> me; I'll post a response back to the group.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Brian Jorgenson" <bjorgenson@charter.net> wrote in message
>> news:34ec3ea7.0408260712.1b95ec32@posting.google.com...
>> > Kenneth MacDonald <K.MacDonald@ed.ac.uk> wrote in message
>> > news:<pan.2004.08.26.09.33.08.530138@ed.ac.uk>...
>> >> On Thu, 26 Aug 2004 08:35:50 +1000, Mark Renoden [MSFT] wrote:
>> >>
>> >> > Hi Brian
>> >> >
>> >> > You should be able to achieve this by denying Read and Apply for
>> >> > this
>> >> > group.
>> >>
>> >> In fact, denying Apply is enough, and has the benefit that the user
>> >> can
>> >> still read the GPO for reporting and listing/linking.
>> >>
>> >> Cheers,
>> >>
>> >> Kenny.
>> >
>> > What about the issue with security groups not working in the scope
>> > filtering?
Facebook
Twitter
Instagram