Thursday, June 14, 2012 11:05 AM
I need to prevent certain policies to be applied to Windows 7 x64 clients.
What I've already tried is to selectively remove permissions to e.g. subkeys of HKLM\Software\Policies\Microsoft up to completely removing all access to them. I suspect because of upper level permissions, my control list modifications are overwritten at each policy update (e.g. gpupdate (/force)), i.e. I think the system user (or an equivalent) simply takes ownership of the registry subkeys step by step and deletes and recreates them with the appropriate policies.
I don't like the idea to completely screw up the registry by heavily modifying permissions starting at the root level and possibly breaking something. Is there a way how I can prevent GPOs from being applied even if I work with a user account that has local administration rights (is member of local administrators group)?
Thursday, June 14, 2012 12:58 PM> I need to prevent certain policies to be applied to Windows 7 x64 clients.>Why don't you use a WMI filter for these policies you don't want toapply? Or security group filtering (put all your Win7 x64 clients in agroup and deny this group "Apply Group Policy" access to the GPOs inquestion...WMI filter could beselect * from win32_operatingsystem where not (buildlevel > 7000 andbuildlevel < 7999 and osarchitecture="64-bit" )If you REALLY want to modify registry permissions - you shoudn't do that-, you have to deny SYSTEM full access.regards, Martin
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
Friday, June 15, 2012 5:49 AMModerator
Agree with Martin, we can use the WMI filtering to limit the scope of the GPO based on the attributes of the target computer. Also, if you have grouped all of the clients you don’t apply the GPO to, we can also use the Security Filtering in Group Policy Managent to prevent the use of the GPO.
For detailed information about WMI Filtering and Security Filtering, please refer to the following articles.
Security filtering using GPMC
WMI filtering using GPMC
Additionally, If the GPO you want to limit applying to the specific computers is set with GPP settings, you can also use the Item-level Targeting to limit the scope of the GPO applying. Please refer to the following article for details about Preference Item-Level Targeting.
- Marked As Answer by Andy QiMicrosoft Contingent Staff, Moderator Wednesday, June 20, 2012 10:05 AM