Implement DCGPO to only a select few DCs in my domain?

[Guest]

Hello,

I have an AD forest with 12 sites, each site hosts a minimum of 2 domain
controllers. I am attempting to implement a GPO for mmost of these DCs,
however I have a few DCs where I DO NOT WANT this GPO to be active. Should I
be able to simply move the Domain Controller object out of the Domain
Controllers OU in Active Directory Users and Computers so tha this GPO does
not impact them? Are there other problems that will arise by moving a DC
object out of its OU?

Many thanks.

 

[Florian Frommherz]

Howdy Jason!

I have an AD forest with 12 sites, each site hosts a minimum of 2 domain
controllers. I am attempting to implement a GPO for mmost of these DCs,
however I have a few DCs where I DO NOT WANT this GPO to be active. Should I
be able to simply move the Domain Controller object out of the Domain
Controllers OU in Active Directory Users and Computers so tha this GPO does
not impact them? Are there other problems that will arise by moving a DC
object out of its OU?

Leave all your DCs in the Domain Controllers OU. Create a group to which
you add the DCs that shall *not* apply the GP you want to apply. Apply
new your policy to the Domain Controllers OU. Open the policy's security
tab and add "deny" right for the newly created group with your DCs. The
DCs in your newly created group should now not be able to apply the policy.

If I remember right, Microsoft does not recommend moving DCs out of
"Domain Controllers" since really important GPs are/will be linked there.

cheers,

Florian

 

[Roger Abell [MVP]]

Alternatively, define a subOU within the DC OU and place the DCs to
which the extra GPO should be allied within this subOU and link the
GPO to this subOU.
All DCs need to be within scope of the settings in the Default DC GPO,
so keep all DCs in the DC OU (or substructure within it).