You want to disable either the user or computer settings of a GPO.
Solution
Using a graphical user interface
1. Open the GPMC snap-in.
2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container.
3. Right-click on the target GPO and select GPO Status
4. You can either select User Configuration Settings Disabled to disable the user settings or Computer Configuration Settings Disabled to disable the computer settings.
Discussion
GPOs consist of two parts, a user and a computer section. The user section contains settings that are specific to a user that logs into a computer, while the computer section defines settings that apply to the computer regardless of which user logs in. You can enable or disable either the user configuration or computer configuration sections of a GPO, or both. By disabling both, you effectively disable the GPO. This can be useful if you want to stop a GPO from applying settings to clients, but you do not want to delete it, remove the links, or clear the settings.
Disabling the user configuration or the computer configuration is useful in environments that have separate OUs for computers and users. Typically, you would disable the computer configuration for GPOs linked to the users' OU and vice versa. Disabling half the GPO in the way makes GPO processing more efficient and can reduce logon times.
First, I have to find the target GPO. To do this, I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If zero or more than one are returned, I abort the script. If only one is returned, I call the SetUserEnabled and SetComputerEnable methods to either enable or disable the settings per the configuration.
RSS Feed (xml)
No comments:
Post a Comment