LKBEN11385: Windows 2003 GPO cannot be disabled for Domain-Admins

This article has not been checked!

LKB | Created: 07/09/2020 | Version: 0 | Language: EN | Rating: 0 | Outdated: False | Marked for deletion: False

Author: Wim Peeters - Keskon GmbH & Co. KG

Symptom

GPO is applied to Domain-Admins although configured with "no access"

Cause

Computer account is member of "Authenticated Users"

Solution

If a GPO will be applied/not applied through security filtering, although the opposite was expected, check membership of computer- and user accounts with "Active Directory users and computers" Snap-in.

In order to limit a GPO with security filtering, make sure to remove "Athenticated Users" Group - otherwise the users-portion will be applied to all users in any case.

The reason for this behavior lies in the computer account, which also belongs to the "Authenticated Users" Group.

In order to apply a group policy to certain computers, define an Active Directory security group, make the computer account(s) a member and assign this group to the security filtering in the scope tab of the group policy management console (gpmc).

About the Author

Wim Peeters is electronics engineer with an additional master in IT and over 30 years of experience, including time spent in support, development, consulting, training and database administration. Wim has worked with SQL Server since version 6.5. He has developed in C/C++, Java and C# on Windows and Linux. He writes knowledge base articles to solve IT problems and publishes them on the Lubby Knowledge Platform.

Disclaimer:

The information provided in this document is intended for your information only. Lubby makes no claims to the validity of this information. Use of this information is at own risk!