Administrator account does not read Group Policy

[Brad Higgins]

Hey all,

I was wondering if there is a way in which you can have a
tight group policy but when you log on with the or an
administrator account you are not restricted by the group
policy.

What I mean is that if you enable the policy element that
disables the run menu, I want this done for all our users
but I also want when I log in with an administrator
account, that this account still has the run menu.

IS ther an easy way of doing this

Cheers

Brad

 

[Matjaz Ladava [MVP]]

You could filter out policies trough security settings. Create a group which
holds users to whom policy should apply and add to this group Read + Apply
policy permission. Remove authenticated Users from security settings. This
will ensure, that Admins won't get this policy. You are probably setting
this policy on Domain Policy and this affects also Admins. I would suggest
you to create a separate OU, and organize accounts in that OU with proper
policy affecting only that OU. It is a bad habit to create domain wide
policies.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[Jordan]

You could also leave everything as default (i.e. Authenticated Users granted
with 'Read' and 'Apply Policy') but specifically DENY 'Apply Policy' for the
Administrators (or Domain Admins) group.

Using Deny is usually not recommended as non-default settings will make
tourbleshooting more complex. The recommende way is to group all your
Administrators into a OU (i.e. AdminOU) and the rest of your users into one
or more OUs and apply GPO to these OUs.