Perhaps I don't understand everything here, but if you use the GPMC
Delegation tab, you can adjust who can do what to the GPO. One of the
available "permissions" is "Apply Group Policy". If this permission is set
to "Deny" for a particular user account or group, the GPO will not be
applied to that user or the members of that group.
1. select the GPO in the left pane of GPMC
2. select the Delegation tab
3. click the Advanced button at the bottom right
4. if the group you want the GPO NOT to apply to is already present select
it. If the group is not present, use the Add button and add it and make it
the selected group
5. add a check mark to the Deny column on the Apply Group Policy row
6. click OK
Now, any member of the group that has Deny - Apply Group Policy setting will
not have the settings in this particular GPO applied to them even if their
user account is in the "Scope" of the GPO.
http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp#heading6
describes this approach, but using the default Group Policy tool from Active
Directory and Computers MMC snap-in (that is replaced when GPMC is
installed). My understanding is that the steps above are the GPMC
equivalent steps to what is described in this document.
See also
http://support.microsoft.com/default.aspx?scid=kb;en-us;q315675&sd=tech.
Note that if the user (or users) are in an OU that is NOT in the scope of
the GPO, adjusting the "Apply Group Policy" permission will not have any
affect because the GPO won't be selected for processing for that user in the
first place. You can't force a GPO to be applied to a user via the GPO
permissions, you can only prevent it from applying to users that would
otherwise have it applied because of the user's account location in the OU
hierarchy.
Keep in mind that only the User Configuration settings are applied on a per
user basis. Settings in the Computer Configuration part of a GPO apply to a
computer no matter who logs on at it.
--
Bruce Sanderson MVP
It is perfectly useless to know the right answer to the wrong question.
Brian Jorgenson said:
Mark Renoden said:
Hi Brian
I'm not sure what the distinction is. Can you explain the two methods
you're attempting to use in more detail?
Here is the scoop: i am using Microsoft's Group Policy Management
Tool. On the Scope tab where you can use security filterting, it
specifically says that you can add a group, user, or computer for
filtering. If I had a group, it does not work. It only works on users
and computers. If I had builtin groups like Domain Users, Domain
Admins, then those groups work but any group I create will not work.
What am I missing?
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no
rights.
Brian Jorgenson said:
On Thu, 26 Aug 2004 08:35:50 +1000, Mark Renoden [MSFT] wrote:
Hi Brian
You should be able to achieve this by denying Read and Apply for
this
group.
In fact, denying Apply is enough, and has the benefit that the user
can
still read the GPO for reporting and listing/linking.
Cheers,
Kenny.
What about the issue with security groups not working in the scope
filtering?
