Help!!! Excluding admins for gpo restrictions

[Elizabeth]

I have created a Gpo for my domain, but the restrictions
take effect in the AD server too. I set it up to
remove "Run" from the start up toolbar and it works but it
also removes it from the domain controller with
administrator signon. How do I exclude the administrator
account from the restrictions?!! Please help!!!

 

[JHayes]

I have created a Gpo for my domain, but the restrictions
take effect in the AD server too. I set it up to
remove "Run" from the start up toolbar and it works but it
also removes it from the domain controller with
administrator signon. How do I exclude the administrator
account from the restrictions?!! Please help!!!

Hi Elizabeth,

Did you make this setting in the default domain policy? You should not
change anything in the default domain policy.

Do you have a hierarchy of OU's setup for your users? If you have
everyone, including admin, in one OU then any policy you make will affect
all users in that OU.

Please give a little more detail as to how you created this GPO.

JHayes

 

[Guest]

-----Original Message-----


Hi Elizabeth,

Did you make this setting in the default domain policy? You should not
change anything in the default domain policy.

Do you have a hierarchy of OU's setup for your users? If you have
everyone, including admin, in one OU then any policy you make will affect
all users in that OU.

Please give a little more detail as to how you created this GPO.

JHayes

I created the gpo using ad sites and services. I was

reading that the policies are applied to all users in the
authenticated users group. Administrators are also members
of the authenticated users group, so the policies were
being applied to administrators too. I just removed the
authenticated users group and added a group with the users
I want to be restricted. I am rebooting the server and
will test again after this.
thanks JHayes

 

[Mark]

I think this is what you want. It allows you to deny the restriction to
groups in GPO's.
http://support.microsoft.com/?kbid=322176#3

 

[Buz [MSFT]]

You could alternately deny Administrators "apply group policy" access to the
security of the GPO in question.

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.