Exclude Specific User/Computer/Group from Group Policy Computer Configuration

Discussion in 'Software' started by BB88, May 30, 2012.

  1. BB88

    BB88 Kilobyte Poster Gold Member

    383
    13
    76
    Hello,
    I am trying to exclude a user/comptuer/group from the Default Group Policy Computer Configuration on Windows Server 2008 Standard.

    I have added the user under Delegation >> Advanced >> Apply group policy: Deny
    But the setting that I have in the Default Group Policy Computer Configration is still being applied (even after restart or gpupdate /force)

    Can anyone shed any light?

    Ta
     
    Certifications: CompTIA A+, CompTIA Network+, MCSA: Office 365,, 70-410, 70-680
    WIP: CompTIA: Security+
  2. kevicho

    kevicho Gigabyte Poster

    1,219
    58
    116
    Im pretty sure you will need to block the computer rather than user in this case as its a computer policy, is this a loopback policy you are using?
     
    Certifications: A+, Net+, MCSA Server 2003, 2008, Windows XP & 7 , ITIL V3 Foundation
    WIP: CCNA Renewal
  3. kevicho

    kevicho Gigabyte Poster

    1,219
    58
    116
    The other possibility is that this setting has been "tattooed" in which case recreating the users local profile should do the trick
     
    Certifications: A+, Net+, MCSA Server 2003, 2008, Windows XP & 7 , ITIL V3 Foundation
    WIP: CCNA Renewal
  4. BB88

    BB88 Kilobyte Poster Gold Member

    383
    13
    76
    Cheers kevicho, I will give the Computer instead of User a try.

    What I have also tried is not using the Default Policy, but using two different policies for two different OU's.

    I have created a testing bay, Server 2008 and Windows 7 with a AD an DNS. The 7 is connected to the Domain. I have a user under Students with its own policy, and the setting is applied (its applied from Computer Configuration) I have a user under Admins with its own policy with the opposite setting to the Students policy, and the Admin account still seems to have the Student Policy setting enabled?
     
    Certifications: CompTIA A+, CompTIA Network+, MCSA: Office 365,, 70-410, 70-680
    WIP: CompTIA: Security+
  5. BB88

    BB88 Kilobyte Poster Gold Member

    383
    13
    76
    The setting in question is Windows Firewall... basically we want to disable Network Discovery for Students. If they type \\ and let it populate, whether that be in Word, Notepad or Explorer, it will show a list of all the servers on the network. If we block Network Discovery through the firewall on the machine then it is disabled, this is what we want!

    The setting I am enabling in Student is Computer Configuration >> Policies >> Administrative Templates >> All Settings >> Windows Firewall: Protect all network connections set to Enabled (on Domain Profile)

    The setting I am enabling in Admins is Computer Configuration >> Policies >> Administrative Templates >> All Settings >> Windows Firewall: Protect all network connections set to Disabled (on Domain Profile)

    From there Students Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Windows Firewall with Advanced Security Windows Firewall is On (Domain Profile) and Inbound: Blocked and Outbound: Enabled

    From there Admins Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Windows Firewall with Advanced Security Windows Firewall is Off (Domain Profile)

    I am then adding an Inbound Rule for Students Policy blocking Inbound/Outbound for Network Discovery under Domain...

    Hope this makes sense!
     
    Certifications: CompTIA A+, CompTIA Network+, MCSA: Office 365,, 70-410, 70-680
    WIP: CompTIA: Security+

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.