Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Note: Forums will be making significant UX changes to address key usability improvements surrounding search, discoverability and navigation. To learn more about these changes please visit the announcement which can be found HERE.
Windows Server TechCenter >
How to prevent policies to be applied?

Answered How to prevent policies to be applied?

  • Thursday, June 14, 2012 11:05 AM
     
     
    Sign In to Vote
    0

    I need to prevent certain policies to be applied to Windows 7 x64 clients.

    What I've already tried is to selectively remove permissions to e.g. subkeys of HKLM\Software\Policies\Microsoft up to completely removing all access to them. I suspect because of upper level permissions, my control list modifications are overwritten at each policy update (e.g. gpupdate (/force)), i.e. I think the system user (or an equivalent) simply takes ownership of the registry subkeys step by step and deletes and recreates them with the appropriate policies.

    I don't like the idea to completely screw up the registry by heavily modifying permissions starting at the root level and possibly breaking something. Is there a way how I can prevent GPOs from being applied even if I work with a user account that has local administration rights (is member of local administrators group)?

    Andreas

     

All Replies

  • Thursday, June 14, 2012 12:58 PM
     
     
    Sign In to Vote
    1
     
    > I need to prevent certain policies to be applied to Windows 7 x64 clients.
    >
     
    Why don't you use a WMI filter for these policies you don't want to
    apply? Or security group filtering (put all your Win7 x64 clients in a
    group and deny this group "Apply Group Policy" access to the GPOs in
    question...
     
    WMI filter could be
     
    select * from win32_operatingsystem where not (buildlevel > 7000 and
    buildlevel < 7999 and osarchitecture="64-bit" )
     
    If you REALLY want to modify registry permissions - you shoudn't do that
    -, you have to deny SYSTEM full access.
     
    regards, Martin
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Friday, June 15, 2012 5:49 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    Hi,

    Agree with Martin, we can use the WMI filtering to limit the scope of the GPO based on the attributes of the target computer. Also, if you have grouped all of the clients you don’t apply the GPO to, we can also use the Security Filtering in Group Policy Managent to prevent the use of the GPO.

    For detailed information about WMI Filtering and Security Filtering, please refer to the following articles.

    Security filtering using GPMC

    http://technet.microsoft.com/en-us/library/cc781988(v=WS.10).aspx

    WMI filtering using GPMC

    http://technet.microsoft.com/en-us/library/cc779036(v=WS.10).aspx

    Additionally, If the GPO you want to limit applying to the specific computers is set with GPP settings, you can also use the Item-level Targeting to limit the scope of the GPO applying. Please refer to the following article for details about Preference Item-Level Targeting.

    http://technet.microsoft.com/en-us/library/cc733022.aspx

    Regards,

    Andy