No announcement yet.

Prevent GPO's on computers in domain.

  • Filter
  • Time
  • Show
Clear All
new posts

  • Prevent GPO's on computers in domain.


    I have an annoying problem.

    I want to prevent computers (Win 7 & Vista) joined to our domain from applying the group policies described on our domain controller.
    XP computers don't have this problem.


    We have 1 domain controller, 1 fileserver and 4 terminal servers. All of them are windows server 2008 R2. Most of our users use remote desktop to connect to the terminal server. A small part works on a local computers with the necessary drives mapped.

    We have set various group policies. Drive mappings, internet explorer security, etc. The policies are applied based on membership of a specific security group in the active directory.
    There are lots of different drive mapping policies per office.


    The policies work fine on our terminal server.

    But whenever I join a Windows 7 or Vista computer to our domain, the policies are applied to this computer. Thus setting the drive maps to our fileserver.

    So whenever a user works from home he/she cannot access his/her files because they are on the fileserver and cannot be reached from e.g. home. And, for example, the desktop on the terminal server and the local windows 7 computer are the same.

    Is there a way to prevent those drive mapping policies (and all the other gpo's) from running on local computers joined to our domain.

    Here's a screenshot of our GPO mmc. The policies are in the folder "Group Policy Objects" and are linked in our self-made OU "Terminal Servers"

    I wanted to add an image but I am not yet allowed to do so .

    Many thanks in advance.
    Attached Files

  • #2
    Re: Prevent GPO's on computers in domain.

    either create a separate OU for the win7 computers, and make sur the group policy isn't applied to this OU


    Creat a group called W7Computer and use WMI filtering to prevent this group from reading the relevant policies.

    Also - are Drive maps under the computer, or user objects ? that's the other thing to be aware of !
    Please do show your appreciation to those who assist you by leaving Rep Point


    • #3
      Re: Prevent GPO's on computers in domain.

      The drive maps policy is defined in the user configuration (windows settings - drive maps).

      if I add the computers to an OU and deny all group policies. Won't the domain user logging override this setting?

      I have never really used WMI filtering before. I'll take a look at it. Any tips where to start?

      So I create a new OU, add all the computers (have to use the computer name?) that are joined to the domain. Then use WMI filtering to prevent reading those policies.

      Then again, won't the user's policies override this setting?



      • #4
        Re: Prevent GPO's on computers in domain.

        see, here is your problem.

        the drive mapping secrtion of the policy applies on a per-user configuration.
        so you'd need to deny the permission for the USER to that GPO. which means, when they're on a non-windws7 computer, they wouldn't get drives either.
        Please do show your appreciation to those who assist you by leaving Rep Point


        • #5
          Re: Prevent GPO's on computers in domain.

          If I'm correct you are talking about the OU with the win7 computers? That's where I deny the users drive mapping policies?