none
Best way to stop a user getting any settings via GPO?

    Question

  • Hello,

    I simply need to prove if a certain issue in IE is related to a GPO or not for a user.  Is there a simple way I somehow stop the user getting any setting via any GPOs to prove this?

    Thanks

    Tuesday, July 7, 2015 3:57 PM

Answers

  • Move user to dedicated OU with block Inheritance enabled.
    Tuesday, July 7, 2015 4:06 PM
  • Hello

    tip: create new OU and block gpo inheritance or delegate denied to read/apply on specified gpo for user/group


    sorry my english

    Tuesday, July 7, 2015 4:10 PM
  • Remember that some GPO settings do not vanish after the GPO is no longer
    applied. This especially is true for IE Maintenance, Folder redirection
    and some others. So best create a _new_ user :)
     
    And if the above tips (which are correct and easy to implement) are not
    suitable for your environment:
     
    Create a GPO that applies to this user only (link it to his OU, remove
    AuthUsers from security filtering and add this user account). Then
    enable _any_ setting in "Administrative Templates". Then open User -
    Policies - Windows-Settings - Scripts - Startup, select "Display Files".
    Navigate two folders up - this is the GPO Sysvol folder. here, delete
    gpt.ini. This will ultimately stop GPO processing for this user.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, July 7, 2015 4:23 PM

All replies

  • Move user to dedicated OU with block Inheritance enabled.
    Tuesday, July 7, 2015 4:06 PM
  • Hello

    tip: create new OU and block gpo inheritance or delegate denied to read/apply on specified gpo for user/group


    sorry my english

    Tuesday, July 7, 2015 4:10 PM
  • Remember that some GPO settings do not vanish after the GPO is no longer
    applied. This especially is true for IE Maintenance, Folder redirection
    and some others. So best create a _new_ user :)
     
    And if the above tips (which are correct and easy to implement) are not
    suitable for your environment:
     
    Create a GPO that applies to this user only (link it to his OU, remove
    AuthUsers from security filtering and add this user account). Then
    enable _any_ setting in "Administrative Templates". Then open User -
    Policies - Windows-Settings - Scripts - Startup, select "Display Files".
    Navigate two folders up - this is the GPO Sysvol folder. here, delete
    gpt.ini. This will ultimately stop GPO processing for this user.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, July 7, 2015 4:23 PM