Re: Exclude from GPO ..
- From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
- Date: Tue, 7 Feb 2006 06:47:33 -0000
The principal should stay as Authenticated Users. No need for EVERYONE.
Non-domain members aren't going to be trying to process the GPO anyway.
The reason you should only deny Apply Policy, and leave the read permission
has to do with how the clients find the policies, I believe. If you have no
permissions to a GPO, then the CSEs cannot read it and will error.
Remember, Computer configuration runs as (impersonates) your computer
account and user config impersonates the user who is logging/ logged on.
There are no real reasons why you should not use the Default policies. Many
people think them special, but they're not really. Although they do have
the same GUID no matter where you are. Deleting them is bad, modifying them
is fine. Although Cary raises a good point re. restoring them. As they are
the defaults you shouldn't delete them. Therefore, if there are problems
they need to be reset, which can result in you losing configuration
settings, as the changes you've made are not tracked.
Mike,
I've written a quick article on policy filtering here:
-- http://www.msresource.net/content/view/25/47/
Although it's probably not much different from the KB posted by Paul :(
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
.
- Follow-Ups:
- Re: Exclude from GPO ..
- From: Paul Bergson
- Re: Exclude from GPO ..
- References:
- Re: Exclude from GPO ..
- From: Paul Bergson
- Re: Exclude from GPO ..
- From: Cary Shultz
- Re: Exclude from GPO ..
- Prev by Date: RE: Export AD information into SQL database
- Next by Date: Re: Removing a Domain Controller?
- Previous by thread: Re: Exclude from GPO ..
- Next by thread: Re: Exclude from GPO ..
- Index(es):
Relevant Pages
|
|
