Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Not including user to a Group Policy

Status
Not open for further replies.
HussainU

HussainU

IS-IT--Management
Dec 10, 2008
10
GB
I have a group Policy in a certain OU, i want this group policy to apply to everyone except for 2 people
now i dont want to create a new OU for them 2 users, is there any way of creating a Group Policy but making certain users exempt from that policy? or any policy?
 
Sort by date Sort by votes
deny them access to the gp in question trough ntfs permissions
 
Upvote 0 Downvote
how do u get there?


i thought u create a new group
den in the security filtering section u add that group in, and from the delegation tab on that group u do Deny group policy?
 
Upvote 0 Downvote
ive managed to deny a group policy to certani poeople within a group
is it possible to deny part of a policy to some people and not others?
 
Upvote 0 Downvote
Yes, I believe so, but test it first. The sysvol is located...\\yourdomain\sysvol\yourdomain\policies find the Unique Id on your GPO, with GPMC this is easy to find on the Details tab, then find the cordinating policy and drill down to the folder you want to restrict.
 
Upvote 0 Downvote
thanks but how do i make half the policy affect some users and not others?
 
Upvote 0 Downvote
You should make 2 policies. One for all and one for some. It is best practices to keep GPO's seperated and easily identifiable for troubleshooting issues. And never use the default domain policy as a catch all. The only caveat is the 3MB file size that will be added to your SYSVOL that gets replicated out to DC's, but it is still worth it.
 
Upvote 0 Downvote
rite thanks for that mate.
i was hoping to have one OU with a group Policy that does 2 things
but give most users restrictions and some users excempt from one of the other things
 
Upvote 0 Downvote
so if ive got a GP which does for e.g. two things
gives users a mapped drive and blocks access to C Drive

but i only want 10 out of the 15 users to get both parts of the policy
the other 5 i only want them to get the mapped drives but still get acces to the c drive.
is that possible?
 
Upvote 0 Downvote
yes, break them into 2 seperate GPO's

1)Make a GP for Mapped Drive and make a group for the 15 people that need this GPO and apply in recipient filter
2) and make another GP for access to the C: Drive and make a group for the 10 that need to apply this GPO and apply this in the recipient filter. Make sure this is the only group in the filter...remove authenticated users

Assign both GPO's to the OU that needs it. (where the accounts are)
 
Upvote 0 Downvote
hmm. thanks for your help but i know how to do that i was hoping to have the ONE group Policy filtered.
which seems to be the hard bit
 
Upvote 0 Downvote
Good luck to you. I can't think of why there would be a required need for this to be in just one GPO. You can do it in one if your mapped drive is being done through a script. Restrict the actual script by NTFS permissions.
 
Upvote 0 Downvote
well crap...i reread your poat. Everyone gets the mapped drives. You are limiting the C: drive Are you putting the restrictions on the C: drive on the computer configuration part or the User configuration part? Because the Mapped drive script will go on the user configuration part. So if the C: drive restrictions are configured in the Computer Config part....Then you can do your restriction by NTFS in the SYSVOL/Policies on the Computer folder withing your GPO.

NTFS----the group that does not need the C: drive restriction will be set to DENY Read access...

I hate to ask, but are you completely new to Managing a Windows 2000/2003 Active Directory?
 
Upvote 0 Downvote
no ive done it all before
but what i want to do is bring the GP's down
dont want multiple Group Policys because of a few people if you know what i mean
 
Upvote 0 Downvote
OK, cleaning house--keeping it to a minimum. I can respect that. Try the above..it should work.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
423
microsGuy16
microsGuy16
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
512
DrB0b
DrB0b
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
412
DTGMI
DTGMI
dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
833
mangentle
mangentle
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
182
penguinroundup
penguinroundup

Part and Inventory Search

Sponsor

Back
Top