none
need helping blocking certain gpos

    Question

  • ou structure:

    domain

        company

              servers

                    computers

                    users

              users

    I have gpos linked to domain ou.  I have block inheritance set on Servers ou.  More recently, I set block inheritance on Computers ou too.  The GPOs linked to domain are still being applied to my servers. 

    Most notably, a gpo with user config, preferences, to add printers to wksts.  This gpo has loopback enabled to allow us to assign printers for certain computers.

    I also tried setting our terminal server computer object to deny read & apply for the printer mapping gpo.  It still applies.  I did replicate dc setting and gpupdate before checking.  gpresult /z on the terminal server shows user settings for my regular domain user account.  Shouldn't block inheritance still block this though?  Enforced is not enabled on the gpo.  When I click Servers ou in gpmc and goto gp inheritance, the gpos linked to domain do not show (except for enforced gpos).

    maybe AD doesn't realize what ou the servers are in?   or maybe its the loopback setting?   What can I do to troubleshoot this.

    Thursday, February 25, 2016 7:43 PM

All replies

  • Hi,

    I also tried setting our terminal server computer object to deny read & apply for the printer mapping gpo.  It still applies. 

    >>>Based on my test, it will not work that you delegate a computer deny read&apply permission in a GPO which links to user OU.

    To achieve your goal, you could configure the Item-level targeting.

    For more information about Item-level targeting, you could refer to the article below.

    Preference Item-Level Targeting Using the GPMC

    https://technet.microsoft.com/en-us/library/dn789189.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 26, 2016 8:51 AM
    Moderator
  • we already use item level targeting on the gpo. we have security groups with the computer accounts as members.  this sets which printers get applied to which computers. We do not have our Terminal server in any item level targeting yet it still takes a while to process during login.

    I'm going to try setting a wmi filter for this gpo.  That should take care of this.

    Friday, February 26, 2016 3:04 PM
  • Most notably, a gpo with user config, preferences, to add printers to wksts.  This gpo has loopback enabled to allow us to assign printers for certain computers.

    This GPO (where loopback processing is Enabled), is linked at the root of your domain?????

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, February 27, 2016 11:14 AM
  • Hi,
     
    Am 25.02.2016 um 20:43 schrieb MegaRAM:
    > [Block Inheritance] The GPOs linked to domain are still being applied to my servers.
     
    ... because you forced them.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Proposed as answer by Jay GuModerator Thursday, March 3, 2016 5:24 AM
    • Unproposed as answer by MegaRAM Thursday, March 3, 2016 5:15 PM
    Saturday, February 27, 2016 3:58 PM