Group Policy: Disabled

May
19
2010

Hey Team:

Short sweet tip, and a short sweet announcement.

Short sweet tip first:

You are the King or Queen of your castle, er, domain.

I like to think of every policy setting as a little “edict” that I’m forcing my user population to embrace.

Well, on the Policy side of the house there are a zillion policy settings that can be set to one of three states:

- Enabled,
- Disabled,
-or Not Configured.

Enabled means: “Do this thing, and do it at the level I’m currently working within.”

So, if you’ve got a GPO, link it over to the domain (thus affecting all user accounts in the domain) and Enable a policy setting like “Prohibit Access to the Control Panel.” Then, as expected, everyone in your kingdom will magically embrace the stone-cold fact that their days of messing around within the Control Panel are now over!

Huzzah! Mission accomplished! You and your other network sovereigns cry out with joy!

Except this decree affects YOU as well. Oops… Seems like you poured the burning hot oil on yourself on this one.

Okay.. Great. What are you to do?

Disable that same policy setting from earlier — but now, at a level that affects YOUR (the King and Queen’s men) accounts.

That’s right. Disable.

Disabled’s job isn’t (generally) to “disable” stuff. No, no!

The “Disabled” setting’s job is to “invert” a higher-level policy.

So, assuming you had an OU called “Exalted Leaders OU” and your account was in there, you could simply create a new GPO, link it over to the GPO named “Exalted Leaders OU” and edit the policy setting for the SAME SETTING — “Prohibit Access to the Control Panel.”

Except this time.. instead of ENABLING the policy — you’ll DISABLE it, thus rendering it innocuous to your user account.

It’s like your own “suit of armor” to avoid the burning hot oil.

Try it out and let me know what you think, either in the comments of this blog post on GPanswers.com.

Okay.. and now for the short, sweet announcement:

That is.. the upcoming Washington DC (Northern VA) class — July 19th is OFFICIALLY ON.

 

We already have 10 people signed up with guaranteed seats, and another 9 people “swearing on a stack of Group Policy Bibles” that they are working on POs and whatnot.

Since we only have so many seats, ensure your butt is in the right place by securing your seat before they’re all claimed!

Go to www.GPanswers.com/training.

And to answer your question before you ask it: Yes, yes.. the class is fully updated for WS08 and Win7. The result is that after the class is over, you’ll actually KNOW WHAT TO DO when you’re rolling out and managing Windows 7 and Windows Server 2008 and R2.

On that page, you can:

[] Read what the class is all about, and check out the hands-on lab content.
[] Watch the 20+ video testimonials.
[] Click SIGN UP and we’ll send you a Welcome letter. 

Oh, again: Everyone taking the class gets my newly updated book (Which, by the way, is FLYING off the shelves here at GP H.Q. Thank you, thank you, and sincerely thank YOU for being so enthusiastic and supportive.  My publisher says thanks, too.  :-)  )

On Amazon it’s ranked #2 in “Networking books.”  Awesome!!

() Get your own signed copy: www.GPanswers.com/book .
() Get it on Amazon.. http://www.amazon.com/gp/bestsellers/books/377894011/

PS: Hey.. who’s gonna help me out and write some nice stuff on Amazon about the book? :-) Thanks in advance !