LKBEN11385: Windows 2003 GPO cannot be disabled for Domain-Admins
LKB | Created: 07/09/2020 | Version: 0 | Language: EN | Rating: 0 | Outdated: False | Marked for deletion: False
Author: Wim Peeters - Keskon GmbH & Co. KG
Symptom
GPO is applied to Domain-Admins although configured with "no access"
Cause
Computer account is member of "Authenticated Users"
Solution
If a GPO will be applied/not applied through security filtering, although the opposite was expected, check membership of computer- and user accounts with "Active Directory users and computers" Snap-in.
In order to limit a GPO with security filtering, make sure to remove "Athenticated Users" Group - otherwise the users-portion will be applied to all users in any case.
The reason for this behavior lies in the computer account, which also belongs to the "Authenticated Users" Group.
In order to apply a group policy to certain computers, define an Active Directory security group, make the computer account(s) a member and assign this group to the security filtering in the scope tab of the group policy management console (gpmc).
About the Author
Wim Peeters is electronics engineer with an additional master in IT and over 30 years of experience including time spent in support, development, consulting, training and database administration. Wim has worked with SQL Server since version 6.5. He has developed in C/C++, Java and C# on Windows and Linux in different European countries and different European languages. He writes knowledge base articles to solve IT problems and publishes them on the Lubby Knowledge Platform where he is one of the most important contributors and the main developer.