Security Group Override

G

Guest

How do I accomplished this:

--Employees = GPO # 1
|
|--Retail = GPO # 2

--IT
|
|--Group Policy (A security group called GPO Override is placed in this OU)

What I want to do is be able to take a Domain User in the "Retail" OU that is getting effected by GPO#1 and GPO#2 and "temporarily" make them a member of a security group called "GPO Override" where they will not be effected by any GPO's so I may install "profile specific software packages". Once I am complete, I take the user back out of "GPO Override" and they be effected by GPO1 and GPO2 as usual. I feel this is cleaner than moving the entire user to the USERS (default ad group) everytime I want to do this because some admins forget to put them back.

I'm pretty sure it is a security setting on the Security Group. I am using GPMC for Windows 2003 for GPO Management. Please advise....

Greg Williams
 
T

Tim Springston \(MSFT\)

Hi Greg-

To do this, you could give a Deny Read ACE for the GPO Override group on the
Properties->Security of the policies. One way to get to that GUI would be:

1) Go to the Properties of the Employees OU, then click on the Group Policy
folder tab so it is in front.

2) Then select the group policy you want to prevent them using and click the
Properties button.

3) In the GPO's Properties go to the Security folder tab.

4) Add the Deny Read (or Deny Apply Group Policy) for the GPO Override
security group.

5) Repeat the above for the other policy.

6) To rescind this, remove the user's from the GPO Override security group.

Please repost if this doesn't fit your needs.

--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Greg Williams said:
How do I accomplished this:

--Employees = GPO # 1
|
|--Retail = GPO # 2

--IT
|
|--Group Policy (A security group called GPO Override is placed in this OU)

What I want to do is be able to take a Domain User in the "Retail" OU that
Click to expand...
is getting effected by GPO#1 and GPO#2 and "temporarily" make them a member
of a security group called "GPO Override" where they will not be effected by
any GPO's so I may install "profile specific software packages". Once I am
complete, I take the user back out of "GPO Override" and they be effected by
GPO1 and GPO2 as usual. I feel this is cleaner than moving the entire user
to the USERS (default ad group) everytime I want to do this because some
admins forget to put them back.
I'm pretty sure it is a security setting on the Security Group. I am
Click to expand...
using GPMC for Windows 2003 for GPO Management. Please advise....
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Loopback Processing with Security Groups (No separate OU) 1
Allow Domain Users to have Local Computer Power User Rights 1
Do Not Execute Group Policy for Admins Group 1
accidentally removed domain admin rights in security of a GPO 2
Security Filtering for specific "Links" instead of "GPO" 2
Allow log on through Terminal Services 1
Group policies in OU 3
Loopback policy question 1

Top