GPO

[tester125]

HI Everyone,

I posted this before. Could not get it resolve, still having problem. Maybe someone could clarify.

I created a group "testgroup" at the Domain level to have restriction when anyone in said group logs in, the policy works fine. Now I create a container and added a 20 laptops to that container, anyone who logs in to these laptops should have full access, no restriction. Now how could I get the policy to not restrict the user that's in the "testgroup" when they log in to these.

I checked off the block policy inheritance, but no luck.

Again. I want the testgroup user to have limited access to the workstations in the domain, but to have full access to the 20 laptops that's in the OU.

Thanks all.

 

[tester125]

Please any help. Thanks again.

 

[SGTRawlins]

You can apply a "filter" to the OU for that particular policy i believe, this should mean the policy will not apply to any objects in the OU.

 

[tester125]

Hey thanks alot SGTRawlins for your reply.

I'm sorry am new to GP, how do I go about doing this.

Thanks again.

 

[SGTRawlins]

Right, Easy Peasy bud,

1. Right Click the Domain level icon in AD and choose properties.

2. Locate the Group policy tab.

3. Locate the policy discussed in this thread and right click and open the properties window for the policy.

4. Locate the security tab, now click "Add"

5. Add the users or OU you want exempt from the policy.

6. Set the permissions for the user or OU as follows;

Read = Deny
Applly Group Policy = Deny

This should do the job, let me know if you need further instruction, also a purple star would be nice if we come out trumps!

 

[tester125]

Hey SGTRawlins,

This is not going to work. That means that am not applying the group "test" to the Domain Level. I do want to apply the group "test" to the Domain Level to have restricition for the workstations in the Domain, but when they login to the 20 laptops in the OU level I want the "test" user to have full access.
I try what you mention but it gives the user full access to all workstations in the Domain.

Any more suggestions will be great.

 

[SGTRawlins]

ah, ok, this could be slightly more complex, it has been a long week and the old noggin isnt running at optimum performance, give me a few hours to think, i wll post a reply when i think of it.

 

[tester125]

Any other suggestions will be great.

 

[Mytrag]

Check on Block Policy Inheritence and it should prevent any policy from an higher level to affect the user/computer in that container.

Make sure both the user and computer object are in that container.

 

[tester125]

Hi Mytrag,

I tried doing what you suggested, but the domain level policy is overwriting the container level policy.
I have the laptops in the container level policy.

here's what I have: I have the "test" group at the domain level, give restricted access.
I have the "laptop" group that gives full acess at the container level.
"john" is a member of both groups, I want him to have full access when he logs in to the laptops in the container level.
Any more suggestions.
thanks again.

 

[Mytrag]

Do you have No override enable at the domain level? That would make it so your Block Policy Inheritance doesnt work at any lower level.

Are you applying User policy here or only Computer policy?

If you only applying Computer Policy, then you can make 2 OU, one secured with all the desktop computer, and one unsecured with all of your Laptop.

 

[tester125]

Hi,

No I don't have No override enable at any level.
I'm applying user policy.

Thanks for any other suggestions.