Re: Exclude from GPO ..

Morning, Paul!

Quick question: should it be the 'Everyone' group or the 'Authenticated
Users' group? And, when denying access this way one could 'allow' the READ
but specially 'deny' the APPLY GPO. Not sure what purpose this would have
but I remember some really smart people in the WIN2000 Group Policy news
group suggesting this.

Also, is it not a smart idea to not include this in the Default Domain
Policy but to create a new GPO linked to the Domain level? Or, possibly to
an other OU? We do not know what his set up is......This is what I would
probably do. I would tend to think that it might be a good idea to leave
the DDP and the DDCP alone....If you have to restore them via those nifty
little utilities you have lost everything other than the factory defaults.
Or, am I wrong on this?

--
Cary W. Shultz
Roanoke, VA 24012

"Paul Bergson" <pbergson@xxxxxxxxxx> wrote in message
news:%23%23Ck7b5KGHA.3836@xxxxxxxxxxxxxxxxxxxxxxx
Create the gpo and give the everyone group the read and apply. Create a
group of users that don't need it applied and add this group to the gpo
and deny them the right to read or apply the gpo.

http://support.microsoft.com/?kbid=322176

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no
rights.


"Mike" <Mike@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A9196C81-F822-41EF-8C70-C9DDB709FE97@xxxxxxxxxxxxxxxx
Hello everyone.

I'm having a tough time figuring this out. I need to be able to enable a
password protected screen saver to apply to the entire domain with the
exception of a few user accounts and a couple of computer accounts and
cannot
get it functioning properlly.

I can setup the Default Domain Policy to enable the protected screen
saver,
but for the life of me cannot figure out how to exclude the user accounts
and
computer accounts I need to.

Any help is greatful!

Thanks,

Mike




.

Relevant Pages

  • Re: cannot logon locally
    ... For a machine in a domain use a GPO that will apply ... >>equivalent) and then set a deny of full control for the ... >>local policy to remove the obstructing setting. ... >>> not let me logon locally. ...
    (microsoft.public.windows.group_policy)
  • Re: loopback processing mode
    ... Deny Apply Policy for Domain Admins for the particular GPO Object. ...
    (microsoft.public.windows.group_policy)
  • Re: Group policy not being applied
    ... The opposite is also true - if the GPO only has Computer Configuration settings, but is linked to an OU that only has user accounts, gpresult will report it as "empty". ... If you want a set of User Configuration settings to only apply when users log on to a particular set of computers, you need to enable GPO Loopback processing and link the GPO with User Configuration Settings to the OU with the computer accounts. ... The policy is working fine on my PC ...
    (microsoft.public.windows.group_policy)
  • Re: Hide TS drives from users, but not Administrators.
    ... I took Jeff's suggestion to create a loopback gpo with nothing else in it. ... then created another gpo to deny all users from the servers local drives. ... I want to deny the Domain Admins from applying this policy so I continued ...
    (microsoft.public.windows.terminal_services)
  • Re: Group POlicy not being applied to groups in OU
    ... I realise that technically GPO should be applied to a container. ... The situation is that I have a terminal server ... users into a container and apply a policy - it works, ... > Deny permissions override allow permissions. ...
    (microsoft.public.windows.group_policy)