Exclude One Computer from GPO

Exclude One Computer from GPO KB ID 0001852

Problem

You have a requirement that you want one computer (or a group of computers) NOT to have a specific GPO applied. If that is the case, then this is how to simply achieve that goal

Note: The same procedure can be used to Exclude a GPO from one user (or a group of users).

Solution : Exclude One Computer from GPO

Let’s find the computer in question, in my case it’s called PNL-ZERTO-2022, take a note of which OU it is in.

From the Group Policy Management console (on a DC or another machine that has the management tools installed) Locate that OU, you can see that there are some GPOs directly linked to that OU, but to see all the GPOs affecting that OU you need to go to the ‘Group Policy Inheritance’ tab.

On the computer itself i can run gpresult /r and it will show me all the COMPUTER GPOs that are being applied. For this exercise I want to stop the policy called CP-Wireless-Policy applying to this machine.

Back in our Group Policy Management Console locate the GPO in question then under Security Filtering > Add > Add in the computer object (remember computers is not selected by default so you may need to tick the box).

Delegation Tab > Select the computer > Advanced > Select the computer > Tick to DENY full control > Apply > Yes > OK.

Exclude One Computer from GPO : Testing

Before you leave the Group Policy Management console, you can simply create a group policy modelling element that tests the policy you want NOT to be applied, has been Denied.

On your client machine, after a reboot, or a force of group policy, running gpresult /r should show the the CP-Wireless-Policy is no longer being applied.

Exclude one Computer from GPO (GPP)

If you are deploying GPP group policy preferences, then you can also use Item-Level Targeting, and then set the targeting to the computer-name-IS-NOT (so that it applies to all other computer names.

Related Articles, References, Credits, or External Links

NA

Considerations Before Upgrading Functional Levels

Upgrading Functional Levels KB ID 0001851

Problem

For over twenty years, I’ve been involved with domain migrations, and I’ve had to upgrade both domain and forest functional levels thousands of times. I’ve also had to deal with many clients who were somewhat nervous when they knew that I was updating, their forest and the domain functional levels. I’m not sure if it’s just embedded in IT folklore that something horrible might happen, and because you or unable to revert if you make the mistake of upgrading these levels when you should not have done so. But in all honesty, in all the time I’ve been involved in domain migrations only once have I ever had a problem, and in that instance, the upgrade process failed because the client had Exchange, 2000 (that’s how long ago that was).

What are Domain and Forest functional levels used for?

Each version of Windows that is released, introduces new functionality, that’s built into Active Directory, and so that the clients can take advantage of that functionality, there are certain prerequisites that must be met for this to work. One of the most obvious prerequisites, is that all domain controllers be running the same version to support those new functionalities. For example, way back with server 2008, the AD recycle bin was introduced, imagine, trying to enable that feature if half of the domain controllers in your environment did not support it. That’s all that the functional level, does it sits and waits for you to get all your servers at the correct version, before you can enable a feature.

Now active directory won’t let you upgrade functional levels if your servers are non-compliant. i.e. ruining an older or unsupported operating system, therefore all the functional level is, is just a safety gate that turns on features. With that in mind, why would you be nervous that you’re adding additional features to Active Directory?

Things to Consider Before Upgrading Functional Levels

  • Check that all domain controllers are working and replicating properly and are running a version of Windows Server that supports the desired functional level.
  • Back up all domain controllers and verify the backups.
  • Ensure that all domain functional levels are equal to or higher than the forest functional level.
  • Review the new features and requirements of the target functional level and plan for any changes or impacts on your applications, services, and clients. Pay particular attention to Microsoft Exchange (if still running  on premises or in hybrid mode).
  • If possible, test the functional level change in a lab environment that mimics your production environment as closely as possible.
  • Communicate the functional level change to your stakeholders and schedule a maintenance window for the operation.
  • Follow the instructions on how to raise the domain and forest functional level and monitor the replication and health of your domain controllers after the change.
  • Official documentation says you CANNOT downgrade functional levels; however this is not true* however, you should only lower the functional level if you encounter a serious problem that cannot be resolved otherwise.

*Note: You can downgrade but no further than server 2008. It is possible to downgrade from Server 2016 (the current maximum) to Server 2012 R2, Server 2012, Server 2008 R2, and Server 2008. In reality (if you’ve been looking after your AD) you should never need to downgrade more than one version anyway.

Upgrading Functional Levels

Both the domain and forest functional levels can be upgraded with the ‘Active Directory Domains and Trusts” management console, the domain by simply right clicking the domain in question then checking the version you want to upgrade to, then click raise.

When Upgrading Functional Levels simply right click Active Directory Domains and Trusts > Raise forest functional level > Checking the version you want to upgrade to then click raise.

Upgrading Functional Levels (PowerShell)

To do the same with Powershell.

[box]

Set-ADForestMode –Identity domain.com –ForestMode Windows2016Forest

Set-ADDomainMode –Identity domain.com –DomainMode Windows2016Domain

[/box]

Verify Upgrading Functional Levels was Successful

Look in the Directory Service Event log for the following events.

Event ID 2039 (Successful Domain Functional Level Update).

 

Event ID 2040 (Successful Forest Functional Level Update).

Downgrading Functional Levels (PowerShell)

The following procedure was carried out on my test bench, when upgrading Functional Levels (in the past) Microsoft released guidance on how to downgrade functional levels to Server 2008 R2 this was handy if you wanted to perform an ADMT domain migration and had raised your levels to Server 2012 (though the tool was later fixed to support newer functional levels).

Remember this is a last resort if you are having problems and remember to ensure you have decent backups of everything before proceeding.

Firstly check the currently domain and forest functional levels.

[box]

Get-ADDomain | Format-Table Name , DomainMode

Get-ADForest | Format-Table Name , ForestMode

[/box]

Then to downgrade (in this example to Serve r2012 R2 use the following commands).

[box]

Set-ADForestMode –Identity domain.com –ForestMode Windows2012R2Forest

Set-ADDomainMode –Identity domain.com –DomainMode Windows2012R2Domain

[/box]

Check that the change has occurred by running the same command you used above.

[box]

Get-ADDomain | Format-Table Name , DomainMode

Get-ADForest | Format-Table Name , ForestMode

[/box]

Then to prove its not all ‘smoke and mirrors’ look in ‘Active Directory domains and Trusts’ > {your-domain-name} > Right click “raise domain functional level’.

And in the same management snap-in check the forest functional level.

Related Articles, References, Credits, or External Links

NA

Find Specific GPO Settings

Find Specific GPO Settings KB ID 0001850

Problem

To find Specific GPO Settings are being applied, and which GPO is affecting which setting, you can generate an html report, there are two ways of doing this. You can either run the report on the affected machine, or if you do not have access, you can generate the same report on a domain controller (or any machine that has the group Policy Management console installed).

Solution: Find Specific GPO Settings (Locally)

On the machine in question run the following command (remember to be logged in with the credentials of an affected user!)

[box]

gpresult /h %temp%\results.html & %temp%\results.html

[/box]

It will take a little while for the report to be generated but it ‘should’ open in you default browser, like so.

From here you can see a list of all the applied GPOs, and drill down into each setting, and see the ‘Wining GPO‘ that applied that setting.

Solution: Find Specific GPO Settings (Centrally)

Most people are unaware that you can do the same from any machine that’s running the Group Policy Management administrative tool, it has a section called group policy modelling. the reason this exists is to ‘try out’ the effect of changing groups, OUs and WMI filters to see how that affects the application of GPOs to both users and computers however, if you just plus in the computer name and the users name and accept all the defaults it will give you the SAME report you generated above.

From Administrative tools > Group policy management > Group Policy modelling > Group Policy modelling wizard > Next > Next (unless you want to change the DC queried).

 

Select the user and computer in question > Next > Next  > Next.

Next > Next > Next.

Next  > Next > Finish.

The report will be rendered on screen, with the same information as if you had run gpresult manually on the client.

Related Articles, References, Credits, or External Links

NA