我们有一个应用于整个域的登录脚本,在用户登录时映射驱动器。
对于一台特定的计算机 OU,我想阻止应用此 GPO。
我认为使用组策略环回处理可以做到这一点,但我不确定如何对驱动器映射执行此操作(并且我对“合并”和“替换”环回处理的测试均未成功)。
有人能给我指出正确的方向吗?
答案1
为了防止链接到域的 GPO 应用于 OU,您可以通过右键单击 OU 并选择“阻止继承”来对该 OU 进行阻止继承。
这还会阻止继承该 OU 通常会继承的所有其他 GPO,除非它们被强制执行。如果您需要避免这种情况,那么我会做的是使用该组策略对象的委派选项卡中的设置,并明确拒绝用户或组读取/应用该 GPO 的能力。
Use Group Policy Management Console
1. Click Start, point to Administrative Tools, and then click Group Policy Management.
2. In the console tree on the left, expand Forest.
3. Expand Domains.
4. Expand Domain Name.
5. Expand Group Policy Objects.
6. Click the Group Policy object that you do not want to apply to [some group].
7. In the display pane on the right, click the Delegation tab.
8. Click the Advanced button in the lower-right corner of the display pane.
9. Click Add, and then type the account name that you do not want the Group Policy object to apply to.
10. Click OK.
Note Group Policy objects contain settings that apply to computer objects and to user objects. If you want only to restrict user settings from applying, add only the user account that you do not want the policy settings to apply to. If you want only to restrict computer settings from applying, add only the computer account that you do not want the policy settings to apply to. To add computer accounts, you have to click the Object Types button, and then click to select the Computers check box.
11. Make sure that the newly-added account is selected in the Group or user names window. Then, scroll down in the Permissions window, and click to select the Deny check box for the Apply group policy permission.
12.Click OK.
13. Click Yes at the Windows Security prompt.
此方法意味着您为不希望应用该驱动器映射策略的人员管理一个单独的安全组。