Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Preventing Group Policy from applying to certain OUs?

  • 08-06-2006 1:53pm
    #1
    Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭


    OK, probably another simple one. Brain not fully engaged today.

    I have all my user accounts under one OU, and a group policy applied which (apart from other things) runs a logon script.

    My Workstations are all in one OU, and Servers are in another OU. I want to set it up so that when I log into a workstation, the script runs, but when I log into a server, it doesn't. One particular part of the script runs an auditing tool, which I don't want to run on the servers. But of more concern are my plans down the line to add more logon scripts for all users.

    There is no group policy object applied directly to the servers or workstations - machine settings are inherited from the Default Domain Policy.

    Any ideas, or is this something I'll have to implement in the script - i.e. check what machine it's running on, and terminate itself if it's running on a server?

    Thanks guys.


Comments

  • Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    Don't use the Default domain policy. Create a new GP and apply it to the workstations OU. Make it inherit from the Default GP if you want, but only change the settings you need to (Computer Startup scripts)


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    The problem is that many of the scripts are user-linked. I could add the auditing tool in the startup script for workstations, but that doesn't stop the problem that logon scripts will still run for everyone in the Users OU.

    Applying a GP to the workstations OU will only allow me to set things for Machine Configuration. User Configuration items don't get applied when the GP is applied to a machine.


  • Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    Ah, now that's a dilemma...
    I'd go with implementing it in the scripts, as I don't know of any way for it to work the way you want it to...


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,596 Mod ✭✭✭✭Capt'n Midnight


    I use %username% a lot in logon scripts
    can OU use it too ?

    or have a stub that calls %username%.bat
    if you don't use kix you can look at ifmember - you can do stuff based on which group they belong to too.

    if you aren't using the gpmc.msi get it Group Policy Management Console
    it can manage a 2K server from XP even if you can't run it on the 2K server.

    http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

    or the old hack

    VER | Find "Server"
    if errorlevel ....


Advertisement