Anmelden
 
HomeLibraryDownloadsSupportWebcasts & EventsCommunityForenBlogs
Ressourcen für IT-Professionals >
Deny 'Apply Group Policy' doesn't work.

Beantwortet Deny 'Apply Group Policy' doesn't work.

  • Freitag, 28. Dezember 2012 07:11
     
     
    Anmelden
    0

    Hi guys,

    I have an OU in which I put a computer account Server100(running on Windows server 2003) and some domain user accounts inside (including domain admins). Now I create a group policy in which a logoff scripts is added under the user settings to automatically emply user's %temp% folder when they logoff Server100.

    Now the scripts works perfectly fine for all the domain users in the OU including domain admins, but actually I have denied 'apply group policy' for doamin admins group under the 'delegation' tab of the group policy.

    I ahave tried to remove the computer account server100 from the OU, unfortunately I found that none of the users in the OU can apply this policy.

    All I need is that this policy can apply to all domain users in the OU except domain admins. Why my configuration can't work? I need your advice. Thank you.



    • Bearbeitet Donald-SG Sonntag, 30. Dezember 2012 04:28
    •  
     

Alle Antworten

  • Freitag, 28. Dezember 2012 10:38
     
     Beantwortet
    Anmelden
    0
     
    > I have an OU in which I put a computer account Server100(running on
    > Windows server 2003) and some domain user accounts inside (including
    > domain admins). Now I create a group policy in which a logoff scripts
    > is added under the *user settings* to automatically emply user's
    > %temp% folder when they logoff Server100. Now the scripts works
    > perfectly fine for all the domain users in the OU including domain
    > admins, but actually I have denied 'apply group policy' for doamin
    > admins group under the 'delegation' tab of the group policy.
     
    Would you mind posting a screen shot?
     
    > I ahave tried to remove the computer account server100 from the OU,
    > unfortunately I found that none of the users in the OU can apply this
    > policy.
    >
     
    This is a strong indication that you have "Loopback replace" enabled for
    your server.
     
    > All I need is that this policy can apply to all domain users in the OU
    > except domain admins. I also want this policy only apply on Server100,
    > but not to other computers. Why my configuration can't work? I need
    > your advice. Thank you.
    >
     
    Create a WMI filter for the GPO: "select * from win32_computersystem
    where name='Server100'". This will ensure the GPO only applies on a
    computer named 'Server100'. And make sure the "deny apply" ACL is set
    properly - I've never seen this to fail...
     
    regards, Martin
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Sonntag, 30. Dezember 2012 04:26
     
     
    Anmelden
    0
     
    > I have an OU in which I put a computer account Server100(running on
    > Windows server 2003) and some domain user accounts inside (including
    > domain admins). Now I create a group policy in which a logoff scripts
    > is added under the *user settings* to automatically emply user's
    > %temp% folder when they logoff Server100. Now the scripts works
    > perfectly fine for all the domain users in the OU including domain
    > admins, but actually I have denied 'apply group policy' for doamin
    > admins group under the 'delegation' tab of the group policy.
     
    Would you mind posting a screen shot?
     
    > I ahave tried to remove the computer account server100 from the OU,
    > unfortunately I found that none of the users in the OU can apply this
    > policy.
    >
     
    This is a strong indication that you have "Loopback replace" enabled for
    your server.
     
    > All I need is that this policy can apply to all domain users in the OU
    > except domain admins. I also want this policy only apply on Server100,
    > but not to other computers. Why my configuration can't work? I need
    > your advice. Thank you.
    >
     
    Create a WMI filter for the GPO: "select * from win32_computersystem
    where name='Server100'". This will ensure the GPO only applies on a
    computer named 'Server100'. And make sure the "deny apply" ACL is set
    properly - I've never seen this to fail...
     
    regards, Martin
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

    Hi Martin, 

    thanks for your reply, below you can take a look at the permission of the group policy which is linked to OU.

    As I have mentioned, the OU includes a computer account Server100(running on Windows server 2003) and some domain user accounts(including domain admins). I also have blocked some non-enforced group policies at the domain level.

    I don't think it is "Loopback replace" enabled for server100 is related to my issue because as I mentioned all domain users who logoff from server 100 can successfully read can apply this policy.

    I also understand that WMI filter will definitely work, but I wish to troubleshoot without using WMI filter. 

    Below are my new findings:

     If I deny the permission of 'Apply group policy' for individual domain users which are in domain admins group instead of denying the whole domain admins group as shown in the screenshot above, then it works, which means domain users in domain admins group can bypass this policy.



    • Bearbeitet Donald-SG Sonntag, 30. Dezember 2012 04:34
    •  
     
  • Freitag, 4. Januar 2013 13:09
     
     Beantwortet
    Anmelden
    1

    If I deny the permission of 'Apply group policy' for individual domain users which are in domain admins group instead of denying the whole domain admins group as shown in the screenshot above, then it works, which means domain users in domain admins group can bypass this policy.

    To verify, I denied "apply" to my domain amins, too. Unfortunately (for you), I can confirm it works as expected - my account, that is a member of domain admins, is denied access and does not apply the GPO anymore.

    So, for now, I'm a bit out of luck in assisting with your issue ;-((
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Als Antwort markiert Donald-SG Mittwoch, 9. Januar 2013 07:49
    •  
     
  • Mittwoch, 9. Januar 2013 07:49
     
     
    Anmelden
    0
    but i still can not....what can i say?
     
  • Mittwoch, 9. Januar 2013 14:35
     
     
    Anmelden
    0
    Am 09.01.2013 08:49, schrieb Donald-SG:
    > but i still can not....what can i say?
     
    Did you create a rsop report (through GPMC or gpresult /h) to verify
    where from your logoff script is applied? Maybe a different policy kicks in?
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!