Announcement

Collapse
No announcement yet.

W2K3: How to block a SINGLE group policy setting for one computer?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • W2K3: How to block a SINGLE group policy setting for one computer?

    We have a Windows 2003 native domain, and I need to exclude a single PC (or the user of that PC if this is not possible) from inheriting the proxy server settings from group policy. As far as I am aware these are only kept within the GPO in this path: User configuration\Windows Settings\Internet Explorer Maintenance\Connection\Proxy settings`. This IP of the proxy is set within the default domain policy. I want the lower OU linked to a new policy to inherit all the settings except this one i.e. I do not want to block inheritance. The problem is that this policy is enabled or not-enabled, and there is no way to DIS-able it. I can apply a lower policy, but my only choice is to tick the box and put a different proxy in, or leave it unticked so it will continue to inherit the domain level proxy settings; and both of these are useless to me. How can I achieve this? Thanks.

  • #2
    Re: W2K3: How to block a SINGLE group policy setting for one computer?

    Security settings to deny the GPO to the computer

    You should have an option to enforce "no proxy" though....
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: W2K3: How to block a SINGLE group policy setting for one computer?

      Originally posted by Ossian View Post
      Security settings to deny the GPO to the computer

      You should have an option to enforce "no proxy" though....
      Unfortunately this setting does not exist. There is only a tick box to enable the proxy. I do not want to deny the default domain policy, just this one setting. Any ideas how that can be done?

      Comment


      • #4
        Re: W2K3: How to block a SINGLE group policy setting for one computer?

        Create a separate policy (at domain level) only for the proxy, then deny that.... simples
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: W2K3: How to block a SINGLE group policy setting for one computer?

          Originally posted by Ossian View Post
          Create a separate policy (at domain level) only for the proxy, then deny that.... simples
          Unfortunately I can't do that. There is one domain policy and all other GPOs are attached to lower level OUs. Also, this is only for one user / PC. Thanks for trying anyway.

          Comment


          • #6
            Re: W2K3: How to block a SINGLE group policy setting for one computer?

            http://www.experts-exchange.com/OS/M..._23215231.html

            Try a new GPO somewhere close to the user and set it up as per the last post in the link
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: W2K3: How to block a SINGLE group policy setting for one computer?

              Have a look into group policy filtering using GPMC , test it first in a lab before on live server.

              here is a guide similar to what ur after, it should guide u in the right direction.

              http://www.windowsitpro.com/article/...ing-gpmc-.aspx
              Please remember to award reputation points if you have received good advice.
              I do tend to think 'outside the box' so others may not always share the same views.

              MCITP -W7,
              MCSA+Messaging, CCENT, ICND2 slowly getting around to.

              Comment


              • #8
                Re: W2K3: How to block a SINGLE group policy setting for one computer?

                Originally posted by feeble View Post
                Unfortunately I can't do that. There is one domain policy and all other GPOs are attached to lower level OUs. Also, this is only for one user / PC. Thanks for trying anyway.
                Separate them then. You don't have to only have one domain level policy. Remove the proxy settings from your existing domain level policy (but leave the rest of the policy in tact) and then create a new GPO with these proxy settings in and link that to the domain level along with your existing domain level GPO. Then in the security settings for this proxy setting GPO you simply set it to deny Read/Apply GPO permission for the one user you mentioned.
                Software for IT Pros that I've written: http://www.cjwdev.co.uk/Software.html

                My blog: http://cjwdev.wordpress.com

                Comment


                • #9
                  Re: W2K3: How to block a SINGLE group policy setting for one computer?

                  How about

                  Creat a new OU
                  Place User or Computer object in that OU
                  Block Group Policy inheritance for that OU

                  Manually Link the policies that you desire to that OU
                  Do no Link the policy that you do not want for that OU


                  Hopefully that made sense.

                  Good Luck!

                  Comment

                  Working...
                  X