Archived from groups: microsoft.public.win2000.active_directory (
More info?)
I usually like to avoid using DENY.......you end up getting a lot of log
events - among other things.
--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"Kenneth MacDonald" <K.MacDonald@ed.ac.uk> wrote in message
news
an.2005.02.14.15.13.09.984506@ed.ac.uk...
> On Fri, 11 Feb 2005 17:58:21 +0100, Matjaz Ladava [MVP] wrote:
>
>> 1. Create a security group for computers to which you want to apply GPO,
>> 2. put all but one computer (the one that you don't want GPO to be
>> applied
>> to) in that security groups,
>> 3. edit GPO security settings and remove Authenticated users from reading
>> and applying GPO's
>> 4. Add your security group rights to read and apply GPO
>
> Alternatively, and perhaps more simply ...
>
> 1) Create a security group for the computer(s) you don't wish to apply the
> GPO to.
> 2) Edit the GPO's delegation tab (Advanced) and Add a Deny Apply for that
> group.
>
> Cheers,
>
> Kenny.
>
>