How to exclude an user from a Group Policy?

one3cap

2006-07-15 01:21:01 UTC

one thing you can do is logon as a member of the IT group and run a gpresult
and see if that GPO is getting filtered, you can even run RSOP, restricted
group will just add a group or user to the local machines
administrators/power users group etc.

i thought that if you apply a gpo for an OU with computers and configure
computer settings it does not matter who logs on to that computer even if you
deny read/apply gpo to a user or group. it is strictly on the computer.

but if you apply a gpo where there are user settings then you can choose
deny for a group or users then the users/group will filter out the GPO

even before a user logs onto a computer the computer settings part of the
gpo are already applied so how can you filter out a group or user.
authenticated users group is user,groups,computers etc....

if you want a computer settings OU to apply to only certain computers in the
1 OU then you could create a group of the computers you do not want to apply
the gpo and add them to the ACL and deny read and apply gpo

this is just what i thought am i right?

Post by RMC
I have applied an IP Security Policy in Computer Configuration for a certain
OU. The manager wants all the PC's in this department not to be able to
access the internet. The policy implemented allows intranet access but
restricts internet acces. The policy works great, but I am stuck trying to
figure out how to exclude IT administrators from having the policy applied to
them if they log onto any of those PC's. Obviously we want to be able to
troubleshoot the PC's and not be restricted from browsing the internet. I've
tried adding our IT group in the security tab of the policy and then checking
the Deny "Apply Group Policy" and played with the restricted groups policy
as well. Neither have worked for me. Please advise.