Block group policy to a single computer?

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi folks,
I have a vanilla Windows Server 2003 AD environment / domain, and a
single computer I would like to exempt from my default domain policy.
What's the best way to do that?

Thank you,
Craig
4 answers Last reply
More about block group policy single computer
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Create an OU and setup the Block Inheritance on that OU. Then just move
    your users/computers to that OU

    "Craig" wrote:

    > Hi folks,
    > I have a vanilla Windows Server 2003 AD environment / domain, and a
    > single computer I would like to exempt from my default domain policy.
    > What's the best way to do that?
    >
    > Thank you,
    > Craig
    >
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    No, it's not a lab environment...it's my network. What about just
    denying read access to the policy for that specific computer. I've
    heard about that, I'm just not sure how to do it in Server 2003.

    Craig
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Craig,

    Why do you want to do this? I assume that this is in a lab environment?

    Generally you would create an OU and move the objects in question from the
    default location ( USERS for user account objects and COMPUTERS for computer
    account objects ) and then make sure to check the 'Block Inheritance' ( if
    that is what it is still called in WIN2003 ), as the other poster suggested.

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Craig" <craigcaughlin@yahoo.com> wrote in message
    news:1106935228.316185.69710@f14g2000cwb.googlegroups.com...
    > Hi folks,
    > I have a vanilla Windows Server 2003 AD environment / domain, and a
    > single computer I would like to exempt from my default domain policy.
    > What's the best way to do that?
    >
    > Thank you,
    > Craig
    >
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I would not use the READ right but the APPLY GROUP POLICY right instead. I
    guess that it does not really matter.....

    There is a concept called Group Filtering. When you create a Group Policy
    there is a special group called the AUTHENTICATED USERS that is given the
    READ and APPLY GROUP POLICY rights. You would need to create a security
    group and populate it with the objects that you want to fall under the Scope
    of Management of that specific GPO and give that security group both rights
    already mentioned.

    However, it is not really advised that you mess with the DDP and DDCP,
    especially if you are new to Group Policy.

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Craig" <craigcaughlin@yahoo.com> wrote in message
    news:1106958917.882068.191740@f14g2000cwb.googlegroups.com...
    > No, it's not a lab environment...it's my network. What about just
    > denying read access to the policy for that specific computer. I've
    > heard about that, I'm just not sure how to do it in Server 2003.
    >
    > Craig
    >
Ask a new question

Read More

Policy Domain Computers Windows Server 2003 Windows