How To Prevent Domain Group Policies from Applying to Administrator Accounts and Selected Users in Windows Server 2003 (816100)


The information in this article applies to:

  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
For a Microsoft Windows 2000 version of this article, see 315675.

IN THIS TASK

SUMMARY

This step-by-step article describes how to keep domain group policies from also applying to administrator accounts, selected users, or both. Windows Server 2003 uses group policies to control operating system behavior and security settings for users and computers in a Windows network, and group policies can be applied to either users or computers, or both, at the site, domain, or organizational unit level.

back to the top

Prevent Group Policies from Applying to Administrator Accounts

Typically, if you want Group Policy to apply only to specific accounts (either user accounts, computer accounts, or both), you can put the accounts in an organizational unit and then apply Group Policy at that organizational unit level. However, there may be situations where you want to apply Group Policy to a whole domain, but you may not want those policy settings to also apply to administrator accounts or other specific users or groups. The following procedure can prevent Group Policy from applying to administrative accounts (or any other group or user account you specify) by editing the Access Control List (ACL) for the policy:
  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the left console tree, right-click the name of the domain where the policy is applied, and then click Properties.
  3. Click the Group Policy tab.
  4. Click the group policy object that you do not want to apply to administrators. By default, the only policy that is listed in the window is the Default Domain Policy.
  5. Click Properties, and then click the Security tab. If the group or user who you do not want policies to apply does not appear in the list, use the following procedure:
    1. Click Add.
    2. Click the domain where the account resides.
    3. Find the account, and then click it in the list.
    4. Click OK.
    Continue with the remaining steps.
  6. Click the administrators group (or other group or user) that you do not want the policy to apply to.
  7. In the Permissions windows, click to select the Deny check box for the Apply Group Policy permission. This prevents the group policy object from being accessed and applied to the selected group or user account.
back to the top

REFERENCES

For additional information about servers or workstations in a non-domain environment (workgroup), click the following article number to view the article in the Microsoft Knowledge Base:

293655 How to apply local policies to all users except administrators on Windows 2000 in a workgroup setting

For additional information about related topics, click the following article numbers to view the articles in the Microsoft Knowledge Base:

255550 How to configure account policies in Active Directory

221930 Domain security policy in Windows 2000

259576 Group Policy application rules for domain controllers



back to the top
Modification Type:MinorLast Reviewed:3/7/2006
Keywords:kbHOWTOmaster KB816100
©2004 Microsoft Corporation. All rights reserved.