Re: Do Not Execute Group Policy for Admins Group
From: Mark Renoden [MSFT] (markreno_at_online.microsoft.com)
Date: 01/17/05
- Next message: Jonathan Kay [MVP]: "Re: Group Policy for Messenger"
- Previous message: Mark Renoden [MSFT]: "Re: Question Copy -GP"
- In reply to: Emmysdad: "Do Not Execute Group Policy for Admins Group"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 18 Jan 2005 08:21:07 +1100
Hi
I can't think of any mechanism to do this. The computer configuration part
of policy applies prior to logon and as such, is independant of the user
account. It depends only on the computer account residing in the OU
heirarchy to which the GPO is linked and permissions that provide the
computer account with read and apply.
The intent of policy loopback is to replace or merge user configuration
policy based on the location of the computer account in the AD instead of
the location of the user account in AD.
To explain loopback:
1. When the computer boots, the list of GPO's for the computer is gathered
based on it's location in the Active Directory. This is it's SOM or Scope
of Management. The list includes GPO's linked to OU's at each level in the
heirarchy from the OU in which the computer resides all the way up to the
domain.
2. The computer configuration settings from this list are applied to the
computer provided it has permissions to the GPO's.
3. When the user logs in, different behaviour occurs according to the policy
loopback settings:
A. Loopback off - the SOM for the user is calculated and then user
configuration settings applied according to user permissions. The location
of the user account in the AD decides entirely which user configuration
settings are applied.
B. Loopback merge mode - the SOM for the user is calculated as in A. The
user configuration settings from this SOM are applied but at a lower
precedence to the user configuration settings in the computer SOM. Once
again, user permissions allow or prevent application of these setting
regardless of whether they came from the user or computer SOM.
C. Loopback replace mode - the SOM for the user is not considered. The user
configuration settings are applied from the GPO's in the computer SOM
provided they have user permissions.
Kind regards
-- Mark Renoden [MSFT] Windows Platform Support Team Email: markreno@online.microsoft.com Please note you'll need to strip ".online" from my email address to email me; I'll post a response back to the group. This posting is provided "AS IS" with no warranties, and confers no rights. "Emmysdad" <gbrentnell@gmail.com> wrote in message news:1105980274.584124.77110@f14g2000cwb.googlegroups.com... > We have an OU that contains Windows XP computer objects. I would like > to set permissions/delegation (or whatever means necessary) on this OU > so that the group policy will only apply to a certain group of users > (ie. I would like the group policy to apply to regular users who use a > computer in that OU, but I DO NOT want the group policy to apply to > domain admins that logon to a computer in that OU). There are settings > in the computer configuration of the GPO that I do not want applied to > computers in the OU it is linked to when Domain admins log on, but I do > want them applied when regular users login. > > I am using GPMC. > > I have removed Authenticated Users from the security filtering and > added a group that contains non domain admin users. I ensured that > > I set the delegation properties on this group so that they had the read > and apply group policy permissions. In this case the GPO would not > apply. > > I tried leaving the Authenticated Users in the security filtering > field, and instead set the DENY Apply group policy permission for > Domain admins. This setting had no effect as domain admins were still > getting the GPO applied. > > I have tried moving the GPO to a higher level so it sits above above > the OU's I created for my computers and users and tried the things > above again but either the GPO applies to everyone, or it doesn't > apply at all to anyone. > > I have looked into the Group Policy loopback processing setting, but > unless I misunderstand it, it's intent is to change the user settings > depending on the user, not the computer configuration settings. > > Any ideas on how I can get a GPO that contains computer configuration > settings, that is applied to an OU with computer objects, to NOT apply > to domain admin users when they logon to a computer in that OU? >
- Next message: Jonathan Kay [MVP]: "Re: Group Policy for Messenger"
- Previous message: Mark Renoden [MSFT]: "Re: Question Copy -GP"
- In reply to: Emmysdad: "Do Not Execute Group Policy for Admins Group"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
