+ Post New Thread
Results 1 to 6 of 6
Windows Thread, GPO question in Technical; Hi everyone, I have a computer defined gpo with software restrictions in. How can i make this policy not apply ...
  1. #1

    Join Date
    Aug 2011
    Location
    Lincolnshire
    Posts
    88
    Thank Post
    10
    Thanked 2 Times in 1 Post
    Rep Power
    22

    GPO question

    Hi everyone,
    I have a computer defined gpo with software restrictions in. How can i make this policy not apply when i have a domain user logged onto a machine? Thanks

  2. #2

    abillybob's Avatar
    Join Date
    May 2013
    Location
    Shropshire
    Posts
    2,761
    Thank Post
    316
    Thanked 344 Times in 255 Posts
    Rep Power
    212
    You can't as far as I'm aware!

  3. #3
    budgester's Avatar
    Join Date
    Jan 2006
    Location
    Enfield, Middlesex
    Posts
    486
    Thank Post
    4
    Thanked 37 Times in 30 Posts
    Rep Power
    24
    At what level are your software restrictions applied ? Domain Level, User/Group Level OU/Computer level ?

    Should the software restrictions only apply when a workstation is logged onto as a local user ?

  4. #4

    Join Date
    Aug 2011
    Location
    Lincolnshire
    Posts
    88
    Thank Post
    10
    Thanked 2 Times in 1 Post
    Rep Power
    22
    Thanks for the reply, the gpo is applied at ou level. The gpo should apply for all users except system admins but this isnt happening at the minute

  5. #5

    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,393
    Thank Post
    54
    Thanked 316 Times in 246 Posts
    Blog Entries
    6
    Rep Power
    122
    If you've got a GPO set to a container of which your user is a member of and you don't want it applying to it, you need to set the permissions on the GPO to prevent it from happening. The easiest way is open the GPO, right click at the top and go to properties, go Security and set the "Apply Group Policy" permission to Deny.

    gpo.png

  6. Thanks to Norphy from:

    tmcd35 (18th June 2014)

  7. #6
    ADMaster's Avatar
    Join Date
    May 2012
    Posts
    333
    Thank Post
    5
    Thanked 35 Times in 30 Posts
    Rep Power
    23
    In addition to @Norphy Ďs suggestion of applying an ACL to the GPO there are a number of options that may work better in the long term. Best practice says ACLís on the GPO should be used as a last resort.
    1 Iíve attached a screen shot that shows you can set the enforcement of the SRP and exclude local admin accounts.
    2 move the settings to the user configuration and apply it to the users OU, this will exclude all local users. It will also exclude the local admin account unless you apply it at domain level.
    3 move all the restrictions to applocker. (enterprise sku required). This is the path Iím going to work on this summer. Convert all my SRPs to applocker. It has the flexibility to define rules for specific users and groups.

    Currently my SRPs are split into two policies one applied to the staff OU and one applied to the student OU. In theory Iíll be able to combine this into one policy for all with different rules.

    Cheers,


    srplocaladmin.PNG

SHARE:
+ Post New Thread

Similar Threads

  1. Daft GPO Question
    By Gongalong in forum Windows Server 2008 R2
    Replies: 10
    Last Post: 18th June 2012, 12:16 PM
  2. Cheeky GPO Question
    By garethedmondson in forum Windows 7
    Replies: 2
    Last Post: 4th May 2010, 09:03 PM
  3. GPO question
    By Newton in forum Windows
    Replies: 10
    Last Post: 15th July 2008, 10:44 PM
  4. WSUS - small question regarding GPO's
    By DanW in forum Windows
    Replies: 4
    Last Post: 10th April 2008, 02:12 PM
  5. Question about GPO settings on IE
    By Kyle in forum Windows
    Replies: 4
    Last Post: 9th March 2006, 11:26 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •