isolating 1 laptop from implemeting group policy

Soldato
Joined
26 May 2006
Posts
6,208
Location
Edinburgh
I need to make one laptop on the domain not pull down any group policy settings, so that when the person logs into that machine they can have full admin rights to the laptop but when they log into any other machine on the network, the usual restrictions such as no control panel etc remain in place.

I thought that I could just create a new OU and disinherit all policy settings but the user group policy settings are still be applied.

Think I am missing something obvious as it should be possible. (This is on Windows Server 2003 and XP client machines)
 
Last edited:
Do your policies have 'enforce' selected? Hopefully these settings aren't defined in your default domain policy :p

You can actually do this by creating a security group, putting the computer account in there and then add an entry to the gpo security Acl to deny applying group policy to that particular group. This way you can keep your OU structure and not worry about new policies not being linked to OUs with inheritance turned off.

edit - http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
 
Last edited:
Do your policies have 'enforce' selected? Hopefully these settings aren't defined in your default domain policy :p

You can actually do this by creating a security group, putting the computer account in there and then add an entry to the gpo security Acl to deny applying group policy to that particular group. This way you can keep your OU structure and not worry about new policies not being linked to OUs with inheritance turned off.

edit - http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

Think I am going to end up going down this road, there are two policys that are "enforced" but they are only applying proxy settings for iexplorer and a couple of other things. The OU that contains all members of staff and has group policy applied, for whatever reason this is still getting applied to the new ou even though I have selected disinherit.
 
it can take a long time for these things to update if you have multiple sites with slow replication etc. But I prefer the above method as it keeps things a little simpler.
 
it can take a long time for these things to update if you have multiple sites with slow replication etc. But I prefer the above method as it keeps things a little simpler.

When I create the new GPO, I take it I will have to select the options such as disable and not leave them as "not configured" as the previous GPO being applied will be enabling lots of restrictions to control panel, run command etc.
 
When I create the new GPO, I take it I will have to select the options such as disable and not leave them as "not configured" as the previous GPO being applied will be enabling lots of restrictions to control panel, run command etc.


i'm a bit confused, if i understand the original post you simply want to stop a policies being applied to this one computer? if so i don't see how that requires making a new policy? The method above is meant to filter the policies so they aren't applied to this one machine. Maybe i misunderstood, it is rather early :p
 
Securtiy options on the group policy and then enter the computer name and tick deny on the apply group policy option.

Other options are to create a new OU and block policy inheritence then link only the policies you want to apply - this is a pain though to manage and the above option is much easier.


M.
 
i'm a bit confused, if i understand the original post you simply want to stop a policies being applied to this one computer? if so i don't see how that requires making a new policy? The method above is meant to filter the policies so they aren't applied to this one machine. Maybe i misunderstood, it is rather early :p

No you are right, I would remove authenticated users and create a new security group. Makes sense now :)
 
Well not exactly, keep authenticated users in there (as you still want it to apply to everyone else) and use the deny option on the 'apply group policy' option for the security group with the single computer account in. Deny will always override an allow.
 
You could use WMI filters.

Another option would be to give the user a second account and use the 'can only log on to' option to restrict it's use to the laptop in question.
 
Well not exactly, keep authenticated users in there (as you still want it to apply to everyone else) and use the deny option on the 'apply group policy' option for the security group with the single computer account in. Deny will always override an allow.

Thank you :)
 
I would use a deny also but I am unsure if a Deny on a computer account will actually block user based settings applying?

Do you have loopback processing enabled/disabled? You should be able to seperate out that PC into a new OU and have a different/No GP applied. Company I work for does this globally across different regions.
 
I would use a deny also but I am unsure if a Deny on a computer account will actually block user based settings applying?

Do you have loopback processing enabled/disabled? You should be able to seperate out that PC into a new OU and have a different/No GP applied. Company I work for does this globally across different regions.

That's is what I was wondering too. Will test on Monday.
 
Denying the group policy will block both the user and computer settings. You are denying the entire group policy and not just part of it. We have several group policies we have to use deny on because of Citrix, etc. and it's easier to block one policy rather than blocking the blocking inheritence and relinking them.



M.
 
Back
Top Bottom