Re: Block a policy for one computer

From: "Herb Martin" <news@xxxxxxxxxxxxxx>
Date: Thu, 15 Mar 2007 08:59:58 -0500

"Matt" <Matt@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3B4033B9-685D-44D4-A176-5D2737519063@xxxxxxxxxxxxxxxx

We have a GPO (with a number of settings in) that is applied to our
domain.
One of the settings is Computer Configuration/Admin Templates/Windows
Components/Windows Movie Maker and the 'Do not allow Movie Maker to run'
value is set to Enabled, effectively stopping everybody from using Movie
Maker on our computers.

However, we have one user that requires access to this program (from a
specific PC). Is there a good way of doing this without blocking the GPO
as
the rest of the policy needs to be applied?

The only way I can think to do
this is to create a seperate sub OU for the computer, create a new GPO
and
set the same policy setting to Disabled, effectively overwriting its
parent
OU's GPO.

Yes, that is the way. The other way is to start at the top and split the
original GPO and don't apply the part that is wrong to this computer
(separate OU, permissions etc.)

Blocking inheritance would block the whole GPO and all its
settings.

Correct -- you should almost never use Block Inheritance (esp. for an
ordinary PC, reserve this for very special cases.)

Creating an OU for one PC just seems like a little overkill.

Next week they may need two computers so no, that is the way to
do it.

Would be interested in peoples thoughts. Thanks.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)

.

Prev by Date: Re: How do I see who created a user/group/OU in W2k3 AD???
Next by Date: ADAM and DMZ
Previous by thread: AD rights to install software on a machine
Next by thread: ADAM and DMZ
Index(es):
- Date
- Thread

Relevant Pages

Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops
... I suggest not mixing Computer Settings and User Settings in the same GPO - this restricts your flexibility and can be confusing ... if you put the laptops' user accounts into a seperate OU from the desktops, then you can use loopback processing to apply different User Configuration settings to the laptops and desktops if you also seperate out the settings you want to be different into seperate GPOs ... User Configuration, Network, Offline Files, "Do not automatically make redirected folders available offline" prevents that from happening BEFORE redirecting any folders - its not retro active. ...
(microsoft.public.windows.group_policy)
Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops
... I suggest not mixing Computer Settings and User ... Settings in the same GPO - this restricts your flexibility and can be ... Configuration settings to the laptops and desktops if you also ... User Configuration, Network, Offline Files, "Do not ...
(microsoft.public.windows.group_policy)
Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!!
... User and Computer settings a single GPO,. ... OU with the Terminal Server computer accounts, ... See in particular the section called "Group Policy Loopback ...
(microsoft.public.windows.group_policy)
Re: GPO not picking up computer settings
... to the domain container with the password/account settings you want. ... for password/account settings and from what GPO. ... buying any of the highly rated AD or Group Policy books you see at Amazon or ... I have changed all the passwords back to what they were so users are now ...
(microsoft.public.windows.server.security)
Re: Problem with NT4 domain trusting W2003 domain
... | implemented the settings you suggested in the "default domain controller ... | GPO" and not in the local GPO, and verified with GPMC that they are ... |> suspect there are some settings in security options caused this problem, ...
(microsoft.public.windows.server.migration)