none
How to prevent policies to be applied?

    Question

  • I need to prevent certain policies to be applied to Windows 7 x64 clients.

    What I've already tried is to selectively remove permissions to e.g. subkeys of HKLM\Software\Policies\Microsoft up to completely removing all access to them. I suspect because of upper level permissions, my control list modifications are overwritten at each policy update (e.g. gpupdate (/force)), i.e. I think the system user (or an equivalent) simply takes ownership of the registry subkeys step by step and deletes and recreates them with the appropriate policies.

    I don't like the idea to completely screw up the registry by heavily modifying permissions starting at the root level and possibly breaking something. Is there a way how I can prevent GPOs from being applied even if I work with a user account that has local administration rights (is member of local administrators group)?

    Andreas

    Thursday, June 14, 2012 11:05 AM

Answers

All replies

  •  
    > I need to prevent certain policies to be applied to Windows 7 x64 clients.
    >
     
    Why don't you use a WMI filter for these policies you don't want to
    apply? Or security group filtering (put all your Win7 x64 clients in a
    group and deny this group "Apply Group Policy" access to the GPOs in
    question...
     
    WMI filter could be
     
    select * from win32_operatingsystem where not (buildlevel > 7000 and
    buildlevel < 7999 and osarchitecture="64-bit" )
     
    If you REALLY want to modify registry permissions - you shoudn't do that
    -, you have to deny SYSTEM full access.
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Thursday, June 14, 2012 12:58 PM
  • Hi,

    Agree with Martin, we can use the WMI filtering to limit the scope of the GPO based on the attributes of the target computer. Also, if you have grouped all of the clients you don’t apply the GPO to, we can also use the Security Filtering in Group Policy Managent to prevent the use of the GPO.

    For detailed information about WMI Filtering and Security Filtering, please refer to the following articles.

    Security filtering using GPMC

    http://technet.microsoft.com/en-us/library/cc781988(v=WS.10).aspx

    WMI filtering using GPMC

    http://technet.microsoft.com/en-us/library/cc779036(v=WS.10).aspx

    Additionally, If the GPO you want to limit applying to the specific computers is set with GPP settings, you can also use the Item-level Targeting to limit the scope of the GPO applying. Please refer to the following article for details about Preference Item-Level Targeting.

    http://technet.microsoft.com/en-us/library/cc733022.aspx

    Regards,

    Andy

    Friday, June 15, 2012 5:49 AM