Stop policy applying to Administrator when using Loopback

J

John Faris

Hi all.

I have a group policy set-up to restrict terminal services users on one of
our servers. In order to get it to apply only to users when they use this
PC I had to link the policy to a special OU that I made to hold the terminal
server in Active Directory. I then turned on loopback processing but I
found that I also had to add the Computer$ account to the list of accounts
able to apply the policy for it to work (read this on MS site as I have
removed Authenticated Users from the access list). This is fine, but I
specifically added domain admins to the list with Deny set for Apply Policy
to prevent the restictions applying to the administrtor group. Today I
tried to install some software and found that the Windows Installer was
disabled and Group Policy Management revealed that this was because the
policy I had set-up was being applied to the Adminstartor account. So my
question is how do I stop this policy from affecting Adminstrators?

TIA.

John.
 
R

Roger Abell

If by "Windows Installer was disabled" you mean that the
Windows Installer service was not running and set to disabled
due to the GPO, then that has nothing whatsoever to do with the
GPO being set for loopback, as Services configuration is machine
policy not user policy.
 
J

John Faris

Roger Abell said:
If by "Windows Installer was disabled" you mean that the
Windows Installer service was not running and set to disabled
due to the GPO, then that has nothing whatsoever to do with the
GPO being set for loopback, as Services configuration is machine
policy not user policy.
Click to expand...

That was what I meant, and I take your point, but what I need to do is stop
that specific group policy from appying to the administrator account.
 
C

chriske911

John Faris brought next idea :
That was what I meant, and I take your point, but what I need to do is stop
that specific group policy from appying to the administrator account.
Click to expand...

an extremely easy low cost solution is setting ntfs permissions on a
gpo folder or object for a certain group
this should include a deny read for the administrator group
edit the GPO under another account if necessary

another solution is apply settings for adminstrators wich turn back the
original GPO settings
put the administrators in a sub OU to implement this

grtz
 
J

John Faris

an extremely easy low cost solution is setting ntfs permissions on a gpo
folder or object for a certain group
this should include a deny read for the administrator group
edit the GPO under another account if necessary

another solution is apply settings for adminstrators wich turn back the
original GPO settings
put the administrators in a sub OU to implement this

grtz
Click to expand...

Thanks for the suggestions, but I would still like to know why the Deny is
not working for the Administrator.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Help with loopback policy 2
Applying GPO to a workstation group using Loopback not working 2
Group Policy for Terminal Server not working 2
Machine policy and loopback . . . 2
Loopback group policies --- exclude administrators 1
Applying Policy 2
local security policy does not get applied 2
OU-based Group Policy not applying when logging onto Terminal Serv 1

Top