Excluding a single PC from GP

Is there any way to exclude a single PC from Group Policy?

I have GP settings for all computers on network for restrictions to Internet Explorer but dont want these settings applied to the server, just the clients. At the moment even though I configured the GPO "Small Business Server Client Computer" it is still being applied to the server.

Any ideas?

Thanks

 

In active directory, create a new organization unit, and place that server in that organization unit. Apply a group policy object block inheritance. Block inheritance

 

I have created a new organization unit called Server so i presume i should just drag the Small Business Server Client Computer from Group Policy into the new Server organization unit? Or should I create a new object in Server and restore the values in Small Business Server Client Computer from Group Policy back to default?

Thanks

 

did you create domain level group policies, or organizational level? If you have the group policy at the organizational level, moving the system from one OU to the other OU, should remove the policy and apply any new policies. Provided of course the 2nd OU is not a child of the first OU.
If you created a domain level group policy, you will need to create a group policy within the new OU that blocks inheritance from the domain policy.

 

I am embarassed to say that I am a little confused as not really got much experience messing about with GP, so I stuck a screen shot here, hopefully this will help you to help me.

Thanks for you help so far.

 

I typically handle GPO in Active Directory Users and Computers MMC Plugin.
Right click on the OU you want to modify, and go to the Group Policy tab.
Add in the group policy you want to block.
check the box that says, "Block Policy inheritance "
Apply the setting.
You can then reboot that server, or force an update by using gpoupdate /force to push out the new GPO.

 

GPO application

HI

One alternative way of going about this would be to leave the computer in an OU with other computers, but then in the Security filtering for the GPO, add only the computers or security groups (which can contain computer accounts), for which the GPO can be applied. this way you can still select which accounts (both users or computers) will receive the GPO settings.

hope this helps.

Best regz\

Sky

 

several simple ways to solve this problem - either define multiple OU's in a tree strcuture and put your computeres in them in a way so that they inherit for the overlying level - and just put the IE blok GPO in the bottom level OU with the PC's
Or ACL filtering as suggested and deny the server
or ...
well - just keep it simple...