locked
Message text for users attempting to logon - Block for certain users? RRS feed

  • Question

  • Hi all,
    I have a group policy that applies to all workstations in a domain. The policy shows a message before you can log onto a workstation , and you have to click OK to move onto the the logon screen.
    I want to exclude a number of workstations from having this prompt, but i want to still apply all group policy settings (ie i dont want to block inheritance.)
    What is the best way i can do this? The policy itself doesnt allow you do 'Disable' the rule, so settings up the policy on a sub-OU wont work.

    Cheers.
    Thursday, February 26, 2009 12:07 AM

Answers

  • Hi,

    Create two GPOs, one the Message text for users attempting to log on policy and the other containing all your other GPO settings. Link these GPOs to the relevant OU, Domain, or Site and configure security filtering for the GPO with the Message text for users attempting to log on wherein only to the specific target group (I suggest using a group for easier management) are given Deny Read of the GPO.

    GPO Filtering Using Security Groupshttp://technet.microsoft.com/en-us/library/cc779291.aspx

    Regards,

    Salvador Manaois III
    MCITP | Enterprise & Server Admin
    MCSE MCSA MCTS CIWA C|EH
    Bytes & Badz: http://badzmanaois.blogspot.com
    • Proposed as answer by Mervyn Zhang Friday, February 27, 2009 10:36 AM
    • Marked as answer by gbug Wednesday, March 4, 2009 12:14 AM
    Thursday, February 26, 2009 2:19 AM

All replies

  • Hi,

    Create two GPOs, one the Message text for users attempting to log on policy and the other containing all your other GPO settings. Link these GPOs to the relevant OU, Domain, or Site and configure security filtering for the GPO with the Message text for users attempting to log on wherein only to the specific target group (I suggest using a group for easier management) are given Deny Read of the GPO.

    GPO Filtering Using Security Groupshttp://technet.microsoft.com/en-us/library/cc779291.aspx

    Regards,

    Salvador Manaois III
    MCITP | Enterprise & Server Admin
    MCSE MCSA MCTS CIWA C|EH
    Bytes & Badz: http://badzmanaois.blogspot.com
    • Proposed as answer by Mervyn Zhang Friday, February 27, 2009 10:36 AM
    • Marked as answer by gbug Wednesday, March 4, 2009 12:14 AM
    Thursday, February 26, 2009 2:19 AM
  • Hi,

    As Salvador suggested, you can use GPO filters to block applying.

    You can also use Group Policy inheritance Blocking to solve this issue. For more information, please refer to the following article:

    Block inheritance using GPMC
    http://technet.microsoft.com/en-us/library/cc738307.aspx

    Managing inheritance of Group Policy
    http://technet.microsoft.com/en-us/library/cc757050.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed as answer by Mervyn Zhang Friday, February 27, 2009 10:36 AM
    • Unproposed as answer by gbug Wednesday, March 4, 2009 12:14 AM
    Friday, February 27, 2009 10:36 AM
  • For anyone elses ference, the GPO filtering using Security groups did the trick here.
    The GPO block inheritance would not have worked in this situation, as i wanted to still aply all other GPO's to a group - it was only one part of a GPO that  i wanted to block. I had to seperate the GPO into two parts, and then block security inheritance to this second policy to a AD security group i created.

    Thanks.
    Wednesday, March 4, 2009 12:19 AM