Announcement

Collapse
No announcement yet.

GPO for all users exclude one user

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO for all users exclude one user

    Hi, I have a GPO setup on a Windows 2008 SBS. What I want to accomplish is to exclude just one user from the GPO. It's a login script that runs when users log into their computers. The script maps 3 drives. I only want to exclude this one user so they do not get the login script and thus do not get the 3 mapped drives.

    I have been able to look at Group Policy Management. I see the Default Domain Policy and when I click on the Settings tab, I see the logon.bat file used to map the 3 drives.
    How do I exlude the one user from this policy?

    Thanks

  • #2
    Re: GPO for all users exclude one user

    Originally posted by theel1997 View Post
    Hi, I have a GPO setup on a Windows 2008 SBS. What I want to accomplish is to exclude just one user from the GPO. It's a login script that runs when users log into their computers. The script maps 3 drives. I only want to exclude this one user so they do not get the login script and thus do not get the 3 mapped drives.

    I have been able to look at Group Policy Management. I see the Default Domain Policy and when I click on the Settings tab, I see the logon.bat file used to map the 3 drives.
    How do I exlude the one user from this policy?

    Thanks
    You could use security filtering on the GPO but that will stop the user from getting ALL settings in the GPO.

    http://technet.microsoft.com/en-us/l...(v=WS.10).aspx

    Comment


    • #3
      Re: GPO for all users exclude one user

      would a specifically configured LogonScript on the AD Object properties of the user override the default domain policy?


      could you put a CASE in the script ? ie case user=joe ; don't do this ; else do this
      ? (really, really bad format but i know it can be done)
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: GPO for all users exclude one user

        Why not use multiple GPOs -- put the scripts (only) in one and security filter it, everything else in another without filtering
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: GPO for all users exclude one user

          +1 for the seperate policies. Dont be afraid of making too many as long as there is a method to them.

          Strip your logon script out to its own policy. Create a security group called "Deny - <GPO_Name>" or something similar, then use security filtering ("Delegation" tab) on the GPO to deny "read" and "apply" to the group.

          Link it and scope it where you want it (i.e. Domain and Authenticated Users). They you can simply plunk people into the new security group to block the GPO.
          Last edited by userPrincipalName; 28th June 2013, 15:58.
          Rules of life:
          1. Never do anything that requires thinking after 2:30 PM
          2. Simplicity is godliness
          3. Scale with extreme prejudice


          I occasionally post using a savantphone, so please don't laugh too hard at the typos...

          Comment


          • #6
            Re: GPO for all users exclude one user

            Thanks for all the suggestions. I wanted to report back that I initally tried to use Security Filtering to exlude the one user, but that wasn't working.
            So I then created an additional GPO, put the logon.bat script in that GPO and just added the group that I wanted to apply to that GPO, so I excluded that one user. Works great.

            Comment

            Working...
            X