Sign in with
Sign up | Sign in
Your question

Block group policy to a single computer?

Last response: in Windows 2000/NT
Share
January 28, 2005 1:00:28 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi folks,
I have a vanilla Windows Server 2003 AD environment / domain, and a
single computer I would like to exempt from my default domain policy.
What's the best way to do that?

Thank you,
Craig
Anonymous
January 28, 2005 6:13:03 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Create an OU and setup the Block Inheritance on that OU. Then just move
your users/computers to that OU

"Craig" wrote:

> Hi folks,
> I have a vanilla Windows Server 2003 AD environment / domain, and a
> single computer I would like to exempt from my default domain policy.
> What's the best way to do that?
>
> Thank you,
> Craig
>
>
January 28, 2005 7:35:17 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

No, it's not a lab environment...it's my network. What about just
denying read access to the policy for that specific computer. I've
heard about that, I'm just not sure how to do it in Server 2003.

Craig
Related resources
Anonymous
January 28, 2005 10:11:22 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Craig,

Why do you want to do this? I assume that this is in a lab environment?

Generally you would create an OU and move the objects in question from the
default location ( USERS for user account objects and COMPUTERS for computer
account objects ) and then make sure to check the 'Block Inheritance' ( if
that is what it is still called in WIN2003 ), as the other poster suggested.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Craig" <craigcaughlin@yahoo.com> wrote in message
news:1106935228.316185.69710@f14g2000cwb.googlegroups.com...
> Hi folks,
> I have a vanilla Windows Server 2003 AD environment / domain, and a
> single computer I would like to exempt from my default domain policy.
> What's the best way to do that?
>
> Thank you,
> Craig
>
Anonymous
January 28, 2005 10:52:13 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I would not use the READ right but the APPLY GROUP POLICY right instead. I
guess that it does not really matter.....

There is a concept called Group Filtering. When you create a Group Policy
there is a special group called the AUTHENTICATED USERS that is given the
READ and APPLY GROUP POLICY rights. You would need to create a security
group and populate it with the objects that you want to fall under the Scope
of Management of that specific GPO and give that security group both rights
already mentioned.

However, it is not really advised that you mess with the DDP and DDCP,
especially if you are new to Group Policy.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Craig" <craigcaughlin@yahoo.com> wrote in message
news:1106958917.882068.191740@f14g2000cwb.googlegroups.com...
> No, it's not a lab environment...it's my network. What about just
> denying read access to the policy for that specific computer. I've
> heard about that, I'm just not sure how to do it in Server 2003.
>
> Craig
>
!