none
User OU GPO & Computer OU GPO

    Question

  •  

    Can I take a gpo I have set at the user OU level and move it to a computer OU (Terminal Servers)?

     

    Also, how do I have the GPO not apply to administrators?

    mercredi 21 mai 2008 18:11

Réponses

  •  

    Hello,

     

    Can I take a gpo I have set at the user OU level and move it to a computer OU (Terminal Servers)?

     

     

    Yes, GPOs can be de-link from a container (site, domain and OU) and re-link to a new container. However, please note that user configuration part of group polices will not be applied to computers by default. If you would like those user configuration policies also applies to all users who logon to a terminal server, you need to enable group policy Loopback processing mode. For more information, please refer to the following Microsoft Knowledge Base article:

     

    231287 Loopback Processing of Group Policy

    http://support.microsoft.com/?id=231287

     

    Also, how do I have the GPO not apply to administrators?

     

     

    You may set Security Filtering (ACL on the GPO) to deny Administrators applying group policy.

     

    1.    Open GPMC console.

    2.    In the delegation tab of the GPO, click the Advanced button and add Administrators group.

    3.    Grant the permission "DENY apply group policy" on the Administrators group.

     

    816100 How To Prevent Domain Group Policies from Applying to Administrator (Windows Server 2003)

    http://support.microsoft.com/?id=816100

     

    Hope it helps.

     

    jeudi 22 mai 2008 07:02
  • The best way to not have your GPOs apply to administrators is to link the GPO to the correct node in AD. Since Group POlicy works on a Scope of Management concept, just ensure that the administrators are not in an OU which is in the SOM of the GPO.

     

    Altering the security filtering of a GPO can be done, but it is not a best practice and should be avoided if possible. IF you can't design around your SOM needs, then you can use the filtering. the Filtering is very hard to troubleshoot and manage.

     

    Derek

    Group Policy Resource Kit

     

    jeudi 22 mai 2008 13:45

Toutes les réponses