none
Help restricting GPO on two specific computers

    Question

  • Hello!

    I just started my learning of Group Policy and I had a question.

    There is a GPO that forces a set of groups into the "Administrators" in the advance user and groups in Computer Management. In AD, and thus GPM, there is only one OU for all the computers. This GPO is filtered via this OU. (thus, everything in this OU is affected by the GPO)

    I need this setting (see bold for reference) to NOT be applied to two different computers within the OU. The thing is, I do need all other settings applied by the GPO to still be applied. I am assuming there isn't a way to individually select specific command lines within the GPO and exclude them on specific users/computers.

    I'm not sure what to do. My goal is this: prevent unauthorized users from logging into these two computers. I only want two specific users to have access to both of these computers, no one else. No matter what change (I've tried so far) on the computer prevents others from logging in, long term. Group Policy always, eventually, overrides my removal of the groups in advance user and groups.

    How can I make it so that only two people can access these two computers but not exclude the entirety of the linked GPO? I assume I have to use GPO to resolve this issue. If I do not, I am open to suggestions. 

    Clarification/tl;dr: I have a GPO that has multiple settings affecting an entire OU. Within those settings, I need only one setting to not be implemented on only two computers in that OU, the rest must remain unaffected. How can I accomplish this?

    Thank you.

    Thursday, March 09, 2017 4:15 PM

All replies

  • Hi,
    >> prevent unauthorized users from logging into these two computers. I only want two specific users to have access to both of these computers, no one else.
    In order to do that, you could have a try Deny log on locally policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment, this policy determines which users are prevented from logging on at the computer.

    >> I have a GPO that has multiple settings affecting an entire OU. Within those settings, I need only one setting to not be implemented on only two computers in that OU, the rest must remain unaffected. How can I accomplish this?
    I assume that the GPO are computer policy, if that is the case In my opinion, you could have a try the followings:
    Separate the settings which is not applied to that 2 computers into a new GPO;
    Organize computers into 2 groups: A group for that 2 computers, B group for others;
    As you only have one OU, please link the new GPO to the OU, then you have the following method to filter out that 2 computers from the new GPO:
    1. Use security filtering function for B group, in this case, only computers in B group apply the GPO, not including that 2 computers: https://technet.microsoft.com/en-us/library/cc947840(v=ws.10).aspx
    2. Exclude individual computers from a Group Policy Object by setting permission: http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    You could also refer to more details about group policy from:
    Group Policy for Beginners
    https://technet.microsoft.com/en-us/library/hh147307(v=ws.10).aspx
    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Friday, March 10, 2017 2:36 AM
    Moderator
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 17, 2017 9:35 AM
    Moderator