The GPTalk Mailing List

The GPTALK mailing list is where you can send and receive email related to Windows Group Policy. You must subscribe to the list to send and receive mail from the list. The purpose of the list is to provide a forum for asking and answering technical questions related to Group Policy. Any question is fair game as long as it is related to Windows Group Policy. The Archives for this list can be found on this page.

List Posts

Unanswered Active Topics

Forums Search

Forums >GPTalk >GPTalk Mailing List

Subject: [gptalk] best practice for exception policies

Prev Next

You are not authorized to post a reply.

Author

Messages

rpo8373

Posts:58

12/16/2010 12:50 AM
hi all, we have a gpo linked to our desktops ou that prevents the proxy server field being modified or disabled in ie. we've had a legitimate request to have a single computer excepted from this. i was curious if there's a best practice surrounding this type of scenario. i can think of two ways to achieve this: - create a child ou, move the computer object into this ou, create a new gpo with no settings except the applicable setting to allow disabling the proxy and link this gpo to the new child ou with a precedence of 1. - rather than create a new ou, create a new gpo as described above, but link it to the existing desktops ou with a precedence of 1 and use security filtering to apply it to the single computer only. has anyone got any better ideas and/or which of the following is more suitable? daniel.

dmarelia

Posts:441

12/16/2010 1:11 AM
If that GPO that delivers the proxy restrictions contains other settings that the one computer still needs, then this may not work, but one approach is to simply put a Deny "Apply Group Policy" ACE on that GPO for the computer account (or better yet a group that contains the computer). If that won't work, then your 2nd approach below of creating a new GPO that undoes the setting and is targeted at a single computer (or group) is the way I would go. Darren ________________________________ From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of daniel [xxxxxxxxxxxxxxxx] Sent: Wednesday, December 15, 2010 2:51 PM To: xxxxxxxxxxxxxxxx Subject: [gptalk] best practice for exception policies hi all, we have a gpo linked to our desktops ou that prevents the proxy server field being modified or disabled in ie. we've had a legitimate request to have a single computer excepted from this. i was curious if there's a best practice surrounding this type of scenario. i can think of two ways to achieve this: * create a child ou, move the computer object into this ou, create a new gpo with no settings except the applicable setting to allow disabling the proxy and link this gpo to the new child ou with a precedence of 1. * rather than create a new ou, create a new gpo as described above, but link it to the existing desktops ou with a precedence of 1 and use security filtering to apply it to the single computer only. has anyone got any better ideas and/or which of the following is more suitable? daniel.

TomMarantz User is Offline

Posts:13

12/16/2010 1:11 AM
Unless I am misreading, use security filtering and deny that one computer or user from getting that GPO From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of daniel Sent: Wednesday, December 15, 2010 2:52 PM To: xxxxxxxxxxxxxxxx Subject: [gptalk] best practice for exception policies hi all, we have a gpo linked to our desktops ou that prevents the proxy server field being modified or disabled in ie. we've had a legitimate request to have a single computer excepted from this. i was curious if there's a best practice surrounding this type of scenario. i can think of two ways to achieve this: * create a child ou, move the computer object into this ou, create a new gpo with no settings except the applicable setting to allow disabling the proxy and link this gpo to the new child ou with a precedence of 1. * rather than create a new ou, create a new gpo as described above, but link it to the existing desktops ou with a precedence of 1 and use security filtering to apply it to the single computer only. has anyone got any better ideas and/or which of the following is more suitable? daniel.

You are not authorized to post a reply.

Forums >GPTalk >GPTalk Mailing List > [gptalk] best practice for exception policies

ActiveForums 3.7

Ads

The GPTalk Mailing List

List Posts

Members

Ads