Block group policy to a single computer?

[Craig]

Hi folks,
I have a vanilla Windows Server 2003 AD environment / domain, and a
single computer I would like to exempt from my default domain policy.
What's the best way to do that?

Thank you,
Craig

 

[Guest]

Create an OU and setup the Block Inheritance on that OU. Then just move
your users/computers to that OU

 

[Cary Shultz [A.D. MVP]]

Craig,

Why do you want to do this? I assume that this is in a lab environment?

Generally you would create an OU and move the objects in question from the
default location ( USERS for user account objects and COMPUTERS for computer
account objects ) and then make sure to check the 'Block Inheritance' ( if
that is what it is still called in WIN2003 ), as the other poster suggested.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Craig]

No, it's not a lab environment...it's my network. What about just
denying read access to the policy for that specific computer. I've
heard about that, I'm just not sure how to do it in Server 2003.

Craig

 

[Cary Shultz [A.D. MVP]]

I would not use the READ right but the APPLY GROUP POLICY right instead. I
guess that it does not really matter.....

There is a concept called Group Filtering. When you create a Group Policy
there is a special group called the AUTHENTICATED USERS that is given the
READ and APPLY GROUP POLICY rights. You would need to create a security
group and populate it with the objects that you want to fall under the Scope
of Management of that specific GPO and give that security group both rights
already mentioned.

However, it is not really advised that you mess with the DDP and DDCP,
especially if you are new to Group Policy.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com