Microsoft KB Archive/315675

= HOW TO: Keep Domain Group Policies from Applying to Administrator Accounts and Selected Users in Windows 2000 =

PSS ID Number: 315675

Article Last Modified on 12/3/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server SP1
 * Microsoft Windows 2000 Server SP2
 * Microsoft Windows 2000 Advanced Server SP1
 * Microsoft Windows 2000 Advanced Server SP2

-



This article was previously published under Q315675



IN THIS TASK

 * SUMMARY
 * ** Keeping Group Policies from Applying to Administrator Accounts



SUMMARY
This step-by-step article describes how to keep domain group policies from also applying to administrator accounts and/or selected users. Windows 2000 uses group policies to control operating system behavior and security settings for users and computers in a Windows 2000 network, and group policies can be applied to either users and/or computers, at the site, domain, or organizational unit level.

back to the top

Keeping Group Policies from Applying to Administrator Accounts
In most circumstances, if you want a group policy to apply only to specific accounts (either user accounts, machine accounts, or both), you can accomplish this by placing the accounts in an organizational unit, and then applying a group policy at that organizational unit level. However, there may be situations in which you want to apply a group policy to an entire domain, but you may not want those policy settings to also apply to administrator accounts or other specific users or groups. The following procedure can keep a group policy from applying to administrative accounts (or any other group or user account you specify) by editing the ACL (Access Control List) for the policy:  Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. In the left console tree, right-click the name of the domain to which the policy is applied, and then click Properties. Click the Group Policy tab. Click the group policy object that you do not want to apply to administrators. By default, the only policy that is listed in the window is the Default Domain Policy. Click Properties, and then click the Security tab. If the group or user to which you do not want policies to apply does not appear in the list, use the following procedure:  Click the Add button. Click the domain in which the account resides.</li> Find the account, and then click it in the list.</li> Click the Add button, and then click OK.</li> Proceed with the remaining steps.</li></ol> </li> Click the administrators group (or other group or user) to which you do not want the policy to apply.</li> In the Permissions windows, click to select the Deny check box for the Apply Group Policy permission. This prevents the group policy object from being accessed and applied to the selected group or user account.For additional information about servers or workstations in a non-domain environment (workgroup), click the article number below to view the article in the Microsoft Knowledge Base:

293655 How to Apply Local Policies to all Users Except Administrators

</li></ol>

For additional information about related topics, click the article numbers below to view the articles in the Microsoft Knowledge Base:

255550 Configuring Account Policies in Active Directory

221930 Domain Security Policy in Windows 2000

259576 Group Policy Application Rules for Domain Controllers

back to the top

Additional query words: ou aduc

Keywords: kbhowto kbHOWTOmaster KB315675

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbWin2000AdvServSP1 kbWin2000AdvServSP2 kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbwin2000ServSP1 kbwin2000ServSP2 kbWinAdvServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.