none
Group Policy Applying on Servers

    Question

  • HI!

    We created a Domain Wide GPO to change the local admin password on our workstations and under Delegation added the Servers Group and selected "Deny" next to Apply Group Policy option but it is still applying on servers. In the scope "Authenticated Users" are added under Security Filtering.

    The workstations are under the default computers container and servers are in a separate OU.

    Any Suggestions?

    Thanks.


    • Edited by create_share Wednesday, November 16, 2016 10:11 AM
    Wednesday, November 16, 2016 10:08 AM

All replies

  • Hi,
    Please have a try to remove "Authenticated Users" from Security Filtering scope, only add the groups in Security Filtering which you want the GPO to be applied and see if it works.
    And if you want to exclude individual users or computers group from a Group Policy Object, I would suggest you refer to the following article to try step by step:
    How to exclude a Group Policy Object (GPO) to users or a security group
    https://blog.brankovucinec.com/2015/07/17/how-to-exclude-a-group-policy-object-gpo-to-users-or-a-security-group/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Thursday, November 17, 2016 1:55 AM
    Moderator
  • I think I have to create a separate OU for computers and move all the PCS from the default computer container to the new OU since this policy is for computers and not users.

    Is it better to use Redircmp for this job?

    Thursday, November 17, 2016 8:11 AM
  • > We created a Domain Wide GPO to change the local admin password on our
    > workstations
     
    Using what exact settings in this GPO? There is no builtin solution in
    GPO to change user passwords...
     
    In addition: You added a group to "Deny Apply" and the servers are a member of that group. Did you reboot the servers after adding them to the group?

    Friday, November 18, 2016 3:33 PM
  • No I did not reboot the servers but updated the group policy gpupdate /force. The settings for changing the password is as below:

    Friday, November 18, 2016 10:15 PM
  • No I did not reboot the servers but updated the group policy gpupdate /force. The settings for changing the password is as below:

    Your server (or PC) where the GPMC/GPME is being used, seems to be unpatched..

    A patch was released in 2014 to block the ability to set/store passwords in GPOs (because it's a massive security risk)

    http://www.grouppolicy.biz/2014/05/group-policy-preferences-password-behaviour-change-ms14-025/

    Instead of using GPP to set local account passwords, you should use LAPS or some similar product/solution.

    I suggest, instead of trying to make GPP work as you want to, stop trying, and choose a better (more secure) solution.

    And, you should patch your machines too ;)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Friday, November 18, 2016 11:11 PM