none
Exclude GPO to not apply on Users when they login to specific servers

    Question

  • Hi Folks,

    I have applied a internet explorer proxy user setting group policy to OU, which applies to users.

    I would like this GPO not to apply to users when they login to specific computers.

    I was looking at the security filtering but it's bit tricky to exclude GPO not to apply when logging to specific computers but applies when they login to their PC.

    I would appreciate if anyone can suggest how to get around this issue.


    Regards, Navdeep

    Friday, February 3, 2017 4:10 AM

All replies

  • > I would like this GPO not to apply to users when they login to specific computers.
     
    Deny these specific computers read access to the GPO - MS16-072.
     
    Friday, February 3, 2017 10:55 AM
  • I have created a security group, made servers member of that group, waited for the replication. Logged on to the servers but i still receive the user gpo that sets the proxy.

    Would denying the computer object apply permission on gpo that sets "user configuration" work?


    Regards, Navdeep

    Monday, February 6, 2017 7:51 AM
  • Hi,
    For me, it sounds like that you want to apply a GPO to specific users who log on specific computers,
    If that is the case, you could consider Group Policy loopback mode, Group Policy loopback is a computer configuration setting that enables different Group Policy user settings to apply based upon the computer from which logon occurs.
    You could see more details from:
    Circle Back to Loopback
    https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/
    Windows Server: Understand “User Group Policy Loopback Processing Mode”
    https://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx
    Best Regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 6, 2017 7:56 AM
    Moderator
  • hey wendy,

    here is a correct scenario,

    i don't want a specific gpo to apply when users logon to specific computers.

    The gpo in question sets user setting and enable proxy for internet explorer. The loopback only applies to computer not users, correct?


    Regards, Navdeep


    • Edited by singh83 Monday, February 6, 2017 9:34 AM
    Monday, February 6, 2017 9:33 AM
  • > I have created a security group, made servers member of that group,
     
    ...then rebooted the server to make it pickup its group memberships?
     
    Monday, February 6, 2017 2:34 PM
  • i didn't reboot the servers but i ran gpupdate /force, logon logoff. Should a reboot be required?

    Regards, Navdeep

    Tuesday, February 7, 2017 2:33 AM
  • > i didn't reboot the servers but i ran gpupdate /force, logon logoff. Should a reboot be required?
     
    Unless you do "psexec -s klist purge", yes a reboot is required for the computer to pickup its new memberships.
     
    Tuesday, February 7, 2017 12:39 PM
  • > i didn't reboot the servers but i ran gpupdate /force, logon logoff. Should a reboot be required?
     
    Unless you do "psexec -s klist purge", yes a reboot is required for the computer to pickup its new memberships.
     
    Tuesday, February 7, 2017 12:39 PM
  • > i didn't reboot the servers but i ran gpupdate /force, logon logoff. Should a reboot be required?

    Unless you do "psexec -s klist purge", yes a reboot is required for the computer to pickup its new memberships.

    Greetings/Grüße, Martin - https://mvp.microsoft.com/en-us/PublicProfile/5000017 Mal ein gutes Buch über GPOs lesen? - http://www.amazon.de/Windows-Server-2012--8-Gruppenrichtlinien/dp/3866456956 Good or bad GPOs? My blog - http://evilgpo.blogspot.com And if IT bothers me? Coke bottle design refreshment - http://sdrv.ms/14t35cq

    Tuesday, February 7, 2017 12:41 PM
  • I have rebooted the servers however I still see the GPO being applied. I have double checked the policy and it's configured as suggested.

    Regards, Navdeep

    Wednesday, February 8, 2017 2:06 AM
  • Ok, I have got it to work. I used group policy loop back in replace mode.

    I created the proxy setting (registry with delete flag) under computer settings and applied it to the server's ou.

    Doing so, I was able to achieve intended results.


    Regards, Navdeep

    Wednesday, February 8, 2017 3:18 AM
  • but that works only if i make a user a member of local administrative group, any other way to apply the policy under normal domain user

    Regards, Navdeep

    Wednesday, February 8, 2017 6:22 AM
  • Any ideas, how can we make it work without the need of making user an administrator?

    Regards, Navdeep

    Friday, February 10, 2017 1:35 AM
  • Hi,

    Have you checked the following blog regarding details to configure loopback mode and link to OU?

    https://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx

    When you define the "User Group Loopback processing Mode", to "Replace" on the GPO linked to the server OU.

    Applies:

    •        Computer Configuration -> The configuration created in GPO linked to server OU.
    •        User Configuration -> The configuration created in GPO linked to server OU.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 13, 2017 2:29 AM
    Moderator