1

I have an issue which i need some help with.

Current Scenario:

I have a domain firewall policy, which turns the firewall ON and is enforced on "Authenticated users". The domain policy locks the firewall with the "For your security, some settings are managed by your system administrator." for all users. This is not to be changed.

Screenshot: https://www.dropbox.com/s/aa01il1zjjgoa05/GPO_firewall.png?dl=0

Change wanted:

However, now i have a SPECIAL user, which needs to be able to administrate the client firewall all by himself, so the settings must NOT be "For your security, some settings are managed by your system administrator" locked... They must be open for edit by this user on his laptop ONLY!

My queation is:

What would the best and easiest way to set this up?

Thx

Brian Petersen
  • 11
  • 1
  • 2

2 Answers2

1

Rather than using an ACL to deny the application of the GPO based on group membership it might be easier and more intuitive to use Security Filtering to apply the GPO based on group membership.

  1. Create a security group named Firewall On and Restricted (or something to that affect).

  2. Add all of your users to this group except for this particular user.

  3. Remove Authenticated Users from the Security Filtering on this GPO.

  4. Add your new security group to the Security Filtering on this GPO.

  5. Update your user setup documentation to include a step for adding all new users to this security group (except those users who should be excluded).

By doing this you're actually setting the ACL on the GPO just as in Rex's answer, but in a simpler, more intuitive way.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
0

Set an ACE entry to the policy to deny the policy to that specific user. A better practice would be to create a group and deny the policy to the group and add/remove users from that group as required. One "special" user now, might be 5 "special users" later. Groups make it easier later.

  1. Open GPMC
  2. Right click on the desired policy
  3. Select Edit
    enter image description here

  4. Right-click on the policy name (above the computer/user configuration) and select properties.
    enter image description here

  5. Under the security tab, add the group that you want to deny the policy and click deny on the Apply Group Policy permission for that specified group.

    enter image description here

Rex
  • 7,895
  • 3
  • 29
  • 45
  • I dont get it. Where do you get those "properties" you referring to? Here is the screenshot of the DC domain policy management and i dont see any properties anywhere... Screenshot: https://www.dropbox.com/s/za1dbpeqfhewdhr/1.jpg?dl=0 – Brian Petersen Sep 11 '14 at 09:01
  • @BrianPetersen That's why my first step said to edit the policy first - how's this? – Rex Sep 11 '14 at 09:11