Windows Server 2008 R2 Thread, Block Group Policy on a User only on a particular machine - easier way? in Technical; We're trying to figure out a way to block a particular group policy object from applying to a particular machine ...
31st January 2011, 12:43 PM #1
Block Group Policy on a User only on a particular machine - easier way?
We're trying to figure out a way to block a particular group policy object from applying to a particular machine only when a particular user logs on to it (too many particulars??!). We've figured ways of doing it by moving users into different OUs or outright denying them the 'apply group policy' permission on a GPO but would much prefer a more viable solution.
So for example, we have a Staff Redirection Policy in a GPO purely dedicated to the User Side. We want that GPO to apply to Joe Bloggs where-ever he logs on, unless he logs on to a client called 'joe-client'. I've tried denying the client the apply permission but that just stops it applying the computer side of a GPO as opposed to the User side which is no good.
Does anyone have any ideas?
31st January 2011, 12:45 PM #2
could you create another user account that blocks the policy you want. They can then use this account when they log in to said machine.
31st January 2011, 12:47 PM #3
Random idea - could you create a new GPO targetted to that machine (and the user group required) with User Loopback on replace and replace the relevant bits or create the relevant environment for that machine?
31st January 2011, 12:51 PM #4
That's an interesting idea...... would work if I used Replace I'm assuming as the sub OU would take precedence. Will have a look now
Originally Posted by Willott
31st January 2011, 01:21 PM #5
Not got 2k8 to play with myself yet, but everytime I've asked how to do something similar for 2k3 the answer has been "get 2k8 and use group policy preferences" - can they not be used for this?
31st January 2011, 01:32 PM #6
I've only had a brief play with Preferences but for example I used a Preference GPO targetted to a machine to make a user an administrator only on said machine. However I've had issues where other settings made in another GPO (which contains 100s of settings (not my idea!)) such as hide C drive, remove add programs and other general 'lock-down' settings still apply to that user and so restrict alot of the stuff that an admin user should be able to do.
Originally Posted by sonofsanta
I've had a play around with Willot's suggestion but that stupid GPO contains so many settings that it'll take me ages to disable those I no longer want applying in another GPO. Did start to work my way through but lost attention after the first 40 or so
31st January 2011, 07:39 PM #7
I don't think there is an easy way round this. I've done something like this by targeting GPPs at the user/machine combination, but those GPPs do have to reverse/relax a lot of lesser precedence GPO (& GPP) settings that they'd get on any other machine.
By adamf in forum Windows
Last Post: 26th June 2013, 09:32 AM
By kaphc in forum Windows Server 2000/2003
Last Post: 16th December 2009, 08:37 PM
By Iain.Faulkner in forum Windows Server 2008
Last Post: 7th September 2009, 10:36 PM
By neilmc in forum Windows
Last Post: 27th August 2009, 10:44 AM
By FN-GM in forum Windows
Last Post: 12th July 2007, 08:11 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)