GPO for users with admin rights

K

Kiosk

Hi,
Will GPO;s that enforce lockdowns apply to users that have admin
rights to the workstations ? do the admin rights override the group
policy?
 
C

Cary Shultz [A.D. MVP]

Kiosk,

Absolutely, to your first question. Absolutely not, to your second
question.

The key here is to use Security Group filtering. The security group, by
default, that is given both the READ and APPLY GROUP POLICIES is the
Authenticated Users group. This Group does not discriminate!

So, what you would do is one of two things: add the Domain Admins group ( or
whatever group you wanted ) to the security tab of this GPO and give it the
explicit DENY to the APPLY GROUP POLICY right -OR- create a security group
that is populated with the user account objects that you need, add this
security group to the security tab of the GPO, make sure to give this group
the READ and APPLY GROUP POLICY rights and then remove the Authenticated
Users.

HTH,

Cary
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

help with use of restricted groups and individual rights assigment 2
Different rights for admin 4
local admin w/o network rights 2
Assistance Please - Policy Order Doesn't Seem To Work Out Right. 1
Office XP SP redeployment not working throught GPO 2
Programs that need admin rights, but user shouldn't have them 5
problem with giving domain users local admim rights 8
Domain security group to All Computer Local Administrator Group 1

Top