No announcement yet.

Blocking Domain GPO Inheritance

  • Filter
  • Time
  • Show
Clear All
new posts

  • Blocking Domain GPO Inheritance

    A while back I was asked to create a disclaimer policy which all users would have to accept before being able to lo log into Windows. I did this by enabling the “Interactive Logon” security setting in out default domain GPO. This applied the policy to everything.

    This has worked a treat but now I need some help figuring out how I can remove the policy form a few service accounts. The service accounts are set to automatically logon and run certain scripts but they now don’t log on until someone clicks OK to the disclaimer.

    Is there any way to block the policy from being applied to certain OU’s when the setting is set at domain level?

    I have the “Block Inheritance” setting checked on the OU but its still being applied.

    So in summary I need the disclaimer to be applied to all users & computers in the domain except 2 user service accounts which log onto servers 2 specific servers.

    Is there an easy way to achieve this without having to apply the disclaimer to each OU?

  • #2
    Re: Blocking Domain GPO Inheritance

    This policy applies to computers, not users, so you can't exclude service accounts.

    Keep in mind that you'll have no logs indicating whether or not a user accepted the policy - they could easily claim that the message never appeared and you would not be able to prove them wrong. As such, this "policy" would not be binding.

    What I would suggest instead is a reference to your policy in the pre-login message, coupled with an app that runs at login requiring the user to accept your policy. If they decline, they are logged out and the shell doesn't appear until they have accepted. Additionally, the app would need to log username and timestamp for acceptance.

    Even then, this may still not be binding. Consult your company's legal department / legal advisors for guidance.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.


    • #3
      Re: Blocking Domain GPO Inheritance

      One option instead of setting it to run on everything and excluding the service account would be to do it via a security group.

      Each GPO has a target, referred to as "Security Filtering". You could create a security group in AD that contains the "Domain Users" group and "Domain Computers" group (plus anything else you want)

      2008 actually has a targetting section in GPO too.

      As long as your service accounts aren't part of either of these groups then you'll be technically OK, I'll stay out of any possible legal implications already raised!