+ Post New Thread
Results 1 to 7 of 7
Windows Server 2008 R2 Thread, Block Group Policy on a User only on a particular machine - easier way? in Technical; We're trying to figure out a way to block a particular group policy object from applying to a particular machine ...
  1. #1
    Killer_Bot's Avatar
    Join Date
    Dec 2009
    Location
    Great Britain
    Posts
    69
    Thank Post
    3
    Thanked 13 Times in 12 Posts
    Rep Power
    11

    Block Group Policy on a User only on a particular machine - easier way?

    We're trying to figure out a way to block a particular group policy object from applying to a particular machine only when a particular user logs on to it (too many particulars??!). We've figured ways of doing it by moving users into different OUs or outright denying them the 'apply group policy' permission on a GPO but would much prefer a more viable solution.

    So for example, we have a Staff Redirection Policy in a GPO purely dedicated to the User Side. We want that GPO to apply to Joe Bloggs where-ever he logs on, unless he logs on to a client called 'joe-client'. I've tried denying the client the apply permission but that just stops it applying the computer side of a GPO as opposed to the User side which is no good.

    Does anyone have any ideas?

  2. #2
    Admiral208's Avatar
    Join Date
    Mar 2008
    Location
    Bridgwater
    Posts
    712
    Thank Post
    171
    Thanked 62 Times in 54 Posts
    Rep Power
    39
    could you create another user account that blocks the policy you want. They can then use this account when they log in to said machine.

  3. #3

    Join Date
    Dec 2008
    Location
    Nottingham
    Posts
    569
    Thank Post
    38
    Thanked 114 Times in 104 Posts
    Rep Power
    45
    Random idea - could you create a new GPO targetted to that machine (and the user group required) with User Loopback on replace and replace the relevant bits or create the relevant environment for that machine?

    Cheers

    Will

  4. #4
    Killer_Bot's Avatar
    Join Date
    Dec 2009
    Location
    Great Britain
    Posts
    69
    Thank Post
    3
    Thanked 13 Times in 12 Posts
    Rep Power
    11
    Quote Originally Posted by Willott View Post
    Random idea - could you create a new GPO targetted to that machine (and the user group required) with User Loopback on replace and replace the relevant bits or create the relevant environment for that machine?

    Cheers

    Will
    That's an interesting idea...... would work if I used Replace I'm assuming as the sub OU would take precedence. Will have a look now

  5. #5

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,467
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533
    Not got 2k8 to play with myself yet, but everytime I've asked how to do something similar for 2k3 the answer has been "get 2k8 and use group policy preferences" - can they not be used for this?

  6. #6
    Killer_Bot's Avatar
    Join Date
    Dec 2009
    Location
    Great Britain
    Posts
    69
    Thank Post
    3
    Thanked 13 Times in 12 Posts
    Rep Power
    11
    Quote Originally Posted by sonofsanta View Post
    Not got 2k8 to play with myself yet, but everytime I've asked how to do something similar for 2k3 the answer has been "get 2k8 and use group policy preferences" - can they not be used for this?
    I've only had a brief play with Preferences but for example I used a Preference GPO targetted to a machine to make a user an administrator only on said machine. However I've had issues where other settings made in another GPO (which contains 100s of settings (not my idea!)) such as hide C drive, remove add programs and other general 'lock-down' settings still apply to that user and so restrict alot of the stuff that an admin user should be able to do.

    I've had a play around with Willot's suggestion but that stupid GPO contains so many settings that it'll take me ages to disable those I no longer want applying in another GPO. Did start to work my way through but lost attention after the first 40 or so

  7. #7

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    114
    I don't think there is an easy way round this. I've done something like this by targeting GPPs at the user/machine combination, but those GPPs do have to reverse/relax a lot of lesser precedence GPO (& GPP) settings that they'd get on any other machine.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 19
    Last Post: 26th June 2013, 09:32 AM
  2. Using Group Policy to allow a user to install software
    By kaphc in forum Windows Server 2000/2003
    Replies: 3
    Last Post: 16th December 2009, 08:37 PM
  3. Group Policy - Set User Desktops and Start Menu's
    By Iain.Faulkner in forum Windows Server 2008
    Replies: 12
    Last Post: 7th September 2009, 10:36 PM
  4. Local Machine Group Policy
    By neilmc in forum Windows
    Replies: 4
    Last Post: 27th August 2009, 10:44 AM
  5. Replies: 4
    Last Post: 12th July 2007, 08:11 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •