Do Not Execute Group Policy for Admins Group

From: Emmysdad (gbrentnell_at_gmail.com)
Date: 01/17/05 

Date: 17 Jan 2005 08:44:34 -0800

We have an OU that contains Windows XP computer objects. I would like
to set permissions/delegation (or whatever means necessary) on this OU
so that the group policy will only apply to a certain group of users
(ie. I would like the group policy to apply to regular users who use a
computer in that OU, but I DO NOT want the group policy to apply to
domain admins that logon to a computer in that OU). There are settings
in the computer configuration of the GPO that I do not want applied to
computers in the OU it is linked to when Domain admins log on, but I do
want them applied when regular users login.

I am using GPMC.

I have removed Authenticated Users from the security filtering and
added a group that contains non domain admin users. I ensured that

I set the delegation properties on this group so that they had the read
and apply group policy permissions. In this case the GPO would not
apply.

I tried leaving the Authenticated Users in the security filtering
field, and instead set the DENY Apply group policy permission for
Domain admins. This setting had no effect as domain admins were still
getting the GPO applied.

I have tried moving the GPO to a higher level so it sits above above
the OU's I created for my computers and users and tried the things
above again but either the GPO applies to everyone, or it doesn't
apply at all to anyone.

I have looked into the Group Policy loopback processing setting, but
unless I misunderstand it, it's intent is to change the user settings
depending on the user, not the computer configuration settings.

Any ideas on how I can get a GPO that contains computer configuration
settings, that is applied to an OU with computer objects, to NOT apply
to domain admin users when they logon to a computer in that OU?

Relevant Pages

  • Re: policy for only two computers
    ... a setting in a Domain-linked GPO then the setting in the Domain-linked GPO ... what happens if there are conflicting settings at the same level? ... go to the Group Policy tab and click on the New... ... the Computer Configuration half and the User Configuration ...
    (microsoft.public.win2000.group_policy)
  • Re: iNTERACTIVE LOGON welcome screen - make it go away
    ... I created a custom ADM file for these two settings ... and imported it into the GPO under the Computer Administritative templates. ... really great expertise in Group Policy often reply to posts including ... doing a gpupdate on that domain controller which ideally would be the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!!
    ... User and Computer settings a single GPO,. ... OU with the Terminal Server computer accounts, ... See in particular the section called "Group Policy Loopback ...
    (microsoft.public.windows.group_policy)
  • Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!!
    ... GPO security settings from the defauts. ... Restart the workstation computer and the Terminal server, ... I've chosen these settings only because the affect is easy to observe. ... add check mark in the Deny column for Apply Group Policy ...
    (microsoft.public.windows.group_policy)
  • Re: Does user have to be a member of domain admins? Surely not!
    ... The userdoes not have to be a member of the domain/local administrators ... What I would do is run the Group Policy Management snap-in and review the ... The delegation is who should modify/delete the gpo.) ... gpo will only apply if the test user is a member of the Domain Admins ...
    (microsoft.public.windows.server.sbs)