[gptalk] Re: Group Policy and WMI question

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 28 Jan 2008 16:50:04 -0800


The other possibility is that the computer has not picked up its new group
membership. In fact, only a reboot will refresh the workstation's token with
the new group information.




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Williams
Sent: Monday, January 28, 2008 4:28 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy and WMI question


Appreciate the help. I started to work on this today.

I did as you followed and created a special group that and dropped that
specific workstation into that group.
Under that GPO Security tab, I added that group and selected to DENY for
"Apply Group Policy".

However, doing a gpresult still shows that the policy is being applied.
I thought as well, that when you deny a policy, that is it.

The only other thing I can think of is that I do have a WMI filter on that
is set to only apply this particular policy to Windows XP machines, and the
machine I am trying to deny it to, is XP. That might be conflicting as I
think about it.

I appreciate the help.


On Jan 15, 2008 9:54 AM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote:

The simple way is to use Security filtering.


Create a group called something like "No_Firewall_Policy_Machines", add the
workstation to that group and then on the GPO Security tab (delegation in
GPMC) you can Deny "Apply Group Policy" for that group.


You could turn around that method - so the policy would apply only to a
particular group with all of your domain computers except that particular
machine (in this case remember to remove the Authenticated Users group). But
in your case Deny-method might be easier.




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Williams
Sent: 15. januar 2008 18:40
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Group Policy and WMI question


I have a group policy for Windows XP Firewall that is set to all of our
desktop computers. I also put in a WMI filter that says to only apply this
policy to Windows XP machines and not Vista machines (was causing issues
when we did this.) 

Anyway, I have been given a request to see if it is possible to have one
specific computer that is running XP, excluded from this particular group
policy. Is this something I can do? Perhaps done through WMI or another
method? I just started to look into this, so I am open to any suggestions. 

I appreciate it.



Other related posts: