How to prevent a logon script applied to the entire domain by Group Policy from affecting one particular computer OU

group-policy

We have a logon script applied to the entire domain, mapping drives when users logon.

For one particular computer OU, I would like to prevent this GPO from being applied.

I thought that using Group Policy loopback processing might be able to do this, but I am not sure how to do this for drive mapping (and my tests with both "merge" and "replace" loopback processing have been unsuccessful).

Can anyone point me in the right direction?

Best Answer

To prevent a GPO linked to the domain from applying to an OU, you use Block Inheritance on that OU by right-clicking the OU and choosing Block Inheritance.

This also blocks inheritance of all other GPOs that would normally be inherited by that OU unless they're Enforced. If you need to avoid that, then what I would do is use the settings in the Delegation tab of that Group Policy object and specifically deny a user or group the ability to read/apply that GPO.

Use Group Policy Management Console
1.  Click Start, point to Administrative Tools, and then click Group Policy Management.
2.  In the console tree on the left, expand Forest.
3.  Expand Domains.
4.  Expand Domain Name.
5.  Expand Group Policy Objects.
6.  Click the Group Policy object that you do not want to apply to [some group].
7.  In the display pane on the right, click the Delegation tab.
8.  Click the Advanced button in the lower-right corner of the display pane.
9.  Click Add, and then type the account name that you do not want the Group Policy object to apply to.
10.  Click OK.

Note Group Policy objects contain settings that apply to computer objects and to user objects. If you want only to restrict user settings from applying, add only the user account that you do not want the policy settings to apply to. If you want only to restrict computer settings from applying, add only the computer account that you do not want the policy settings to apply to. To add computer accounts, you have to click the Object Types button, and then click to select the Computers check box.
11. Make sure that the newly-added account is selected in the Group or user names window. Then, scroll down in the Permissions window, and click to select the Deny check box for the Apply group policy permission.
12.Click OK.
13. Click Yes at the Windows Security prompt.

This method implies that you manage a separate security group for people you do not want that drive mapping policy applied to.

Related Topic