[gptalk] Re: Default Domain Policy

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 29 Jan 2007 10:06:19 -0800


If the Default Domain Policy is enforced, that's going to prevent you from
having another GPO, linked higher at the domain level, from having an
effect. I think your best bet is to use security group filtering to deny
Apply Group Policy to the group containing your special computers, and then
adding a  new GPO that is a copy of the Default Domain Policy with an allow
for that special group. At that point, you could link it closer to the
machines instead of having to link it at the domain level.




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Tappmeyer, Stephen [GCG-NAOT]
Sent: Monday, January 29, 2007 9:48 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Default Domain Policy


In my default domain policy, I have defined an "Interactive logon: Message
text for users attempting to log on" and an "Interactive logon: Message
title for users attempting to log on".


This is working correctly, but I have been asked to provide an exception for
a few workstations to allow for an auto logon to those workstations with a
specific account. (Currently the message must be acknowledged.)


I believe that since this is the default domain that is enforced, I cannot
provided an exception unless I link another GPO to the root and ensure that
the link order lists this new GPO above the default domain policy.
(Security Filtering would be to a specific group to which machine accounts
would be added for the exception.)


What is the impact of adding this exception to after the Default Domain?


Are there any other options?







Other related posts: