Security Group Override

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

How do I accomplished this:

--Employees = GPO # 1
|
|--Retail = GPO # 2

--IT
|
|--Group Policy (A security group called GPO Override is placed in this OU)

What I want to do is be able to take a Domain User in the "Retail" OU that is getting effected by GPO#1 and GPO#2 and "temporarily" make them a member of a security group called "GPO Override" where they will not be effected by any GPO's so I may install "profile specific software packages". Once I am complete, I take the user back out of "GPO Override" and they be effected by GPO1 and GPO2 as usual. I feel this is cleaner than moving the entire user to the USERS (default ad group) everytime I want to do this because some admins forget to put them back.

I'm pretty sure it is a security setting on the Security Group. I am using GPMC for Windows 2003 for GPO Management. Please advise....

Greg Williams
 
Hi Greg-

To do this, you could give a Deny Read ACE for the GPO Override group on the
Properties->Security of the policies. One way to get to that GUI would be:

1) Go to the Properties of the Employees OU, then click on the Group Policy
folder tab so it is in front.

2) Then select the group policy you want to prevent them using and click the
Properties button.

3) In the GPO's Properties go to the Security folder tab.

4) Add the Deny Read (or Deny Apply Group Policy) for the GPO Override
security group.

5) Repeat the above for the other policy.

6) To rescind this, remove the user's from the GPO Override security group.

Please repost if this doesn't fit your needs.

--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Greg Williams said:
How do I accomplished this:

--Employees = GPO # 1
|
|--Retail = GPO # 2

--IT
|
|--Group Policy (A security group called GPO Override is placed in this OU)

What I want to do is be able to take a Domain User in the "Retail" OU that
is getting effected by GPO#1 and GPO#2 and "temporarily" make them a member
of a security group called "GPO Override" where they will not be effected by
any GPO's so I may install "profile specific software packages". Once I am
complete, I take the user back out of "GPO Override" and they be effected by
GPO1 and GPO2 as usual. I feel this is cleaner than moving the entire user
to the USERS (default ad group) everytime I want to do this because some
admins forget to put them back.
I'm pretty sure it is a security setting on the Security Group. I am
using GPMC for Windows 2003 for GPO Management. Please advise....
 
Back
Top