Advertisement
I’m running Server 2003.<\/p>\n
In active directory, I have a GPO that is Enforced for the entire Domain, but I have a particular machine that needs a setting that contradicts that original GPO. Can I enforce the lower level GPO and have it take precedence over the domain-level-also-enforced GPO?<\/p>\n
Or would that create a rift in the space-time continuum which would destroy the universe? Or maybe just that machine at the least.<\/p>\n
Matt<\/p>","upvoteCount":5,"answerCount":6,"datePublished":"2010-07-23T13:46:13.000Z","author":{"@type":"Person","name":"mace7616","url":"https://community.spiceworks.com/u/mace7616"},"acceptedAnswer":{"@type":"Answer","text":"
Or you can apply a GPO to the OU the computer resides, filter it so it only applies to this machine, make your preferences and enforce this GPO, too.<\/p>\n
This should override the domainsettings because of the order GPOs are processed, unless your are setting password preferences in a w2k3 domain.<\/p>","upvoteCount":0,"datePublished":"2010-07-26T02:50:38.000Z","url":"https://community.spiceworks.com/t/group-policy-enforced-below-enforced/57222/4","author":{"@type":"Person","name":"thomas1074","url":"https://community.spiceworks.com/u/thomas1074"}},"suggestedAnswer":[{"@type":"Answer","text":"
I’m running Server 2003.<\/p>\n
In active directory, I have a GPO that is Enforced for the entire Domain, but I have a particular machine that needs a setting that contradicts that original GPO. Can I enforce the lower level GPO and have it take precedence over the domain-level-also-enforced GPO?<\/p>\n
Or would that create a rift in the space-time continuum which would destroy the universe? Or maybe just that machine at the least.<\/p>\n
Matt<\/p>","upvoteCount":5,"datePublished":"2010-07-23T13:46:13.000Z","url":"https://community.spiceworks.com/t/group-policy-enforced-below-enforced/57222/1","author":{"@type":"Person","name":"mace7616","url":"https://community.spiceworks.com/u/mace7616"}},{"@type":"Answer","text":"
Create OU for the “one” workstation. Move the workstion to the OU. Apply policies as needed. Done!<\/p>","upvoteCount":0,"datePublished":"2010-07-23T13:57:40.000Z","url":"https://community.spiceworks.com/t/group-policy-enforced-below-enforced/57222/2","author":{"@type":"Person","name":"smusser","url":"https://community.spiceworks.com/u/smusser"}},{"@type":"Answer","text":"
+1 for Steve. It is possible to create an OU within and filter out the global one by various means, blocking inheritance etc but this is the simplest way to do what you want.<\/p>","upvoteCount":0,"datePublished":"2010-07-26T01:13:32.000Z","url":"https://community.spiceworks.com/t/group-policy-enforced-below-enforced/57222/3","author":{"@type":"Person","name":"Briser-fae-the-broch","url":"https://community.spiceworks.com/u/Briser-fae-the-broch"}},{"@type":"Answer","text":"
Just remember that deny always takes precedence over allow. So if your policies have any overlapping settings it is best to apply them by segregating the objects into separate OU’s.<\/p>","upvoteCount":0,"datePublished":"2010-07-26T05:12:50.000Z","url":"https://community.spiceworks.com/t/group-policy-enforced-below-enforced/57222/5","author":{"@type":"Person","name":"smusser","url":"https://community.spiceworks.com/u/smusser"}},{"@type":"Answer","text":"
Plus having seperate OU’s for special policies makes it much easier to manage than trying to track down a policy that is being filtered on just 1 PC.<\/p>","upvoteCount":0,"datePublished":"2010-07-26T05:18:32.000Z","url":"https://community.spiceworks.com/t/group-policy-enforced-below-enforced/57222/6","author":{"@type":"Person","name":"Nick-C","url":"https://community.spiceworks.com/u/Nick-C"}}]}}