GPO Exception ?
jbrad95706
Member Posts: 225
Hello again!
I had asked a question about where to apply the policy to disable the Licence Logging Service, and I found the location. (With some help!
)
Here is the problem... I don't want to disable it on all DC's.
Is there a way to setup an exception for just the ones I want to disable this service on?
Thanks for the help! I'm not much on a Windows guy... but I'm getting there!
I had asked a question about where to apply the policy to disable the Licence Logging Service, and I found the location. (With some help!
)Here is the problem... I don't want to disable it on all DC's.
Is there a way to setup an exception for just the ones I want to disable this service on?
Thanks for the help! I'm not much on a Windows guy... but I'm getting there!
Comments
Alternatively, you could leave all the servers in their current OU(s) and use security filtering on the GPO. Add all the servers you want the service disabled on to a security group, and make sure that that group is the only entry listed in the security filtering settings of the GPO.
Don't move the DCs out of the default Domain Controllers OU.
Jane Lewis's Weblog : Just don't do it !
While security groups would be the way to do this since you shouldn't move the DCs out of the domain controllers OU, having different GPOs applied to different domain controllers is still a bad idea. Why do you want to disable the License Logging Service on some DCs and not others?
Description of the License Logging Service in Windows Server operating systems
You could nest another OU within that though, couldn't you?
I only have a few of them here - most of them belong to other locations. I just want it applied to the DC's I have here; however, they are all clumped in the same folder.
They don't all belong to me, and I don't want to step on the toes of the remote site's admins.
Thanks! I'm going to read up on this. Would this be for just the one part of the policy or for everything? I want the rest of the policy to apply, just not the part about the LLS.
Thanks again! (Everyone)
Ok, let me ask it another way. Why do you want to disable the License Logging service?
I'm trying to clean up the event logs, and the LLS is just one of my issues flooding my logs with junk.
Were not using it here, but it's turned on through a GP because (as far as I know) the remote sites are using it.
To my understanding it's off by default in 2003, and not part of 2008 due to the reasons stated in the link you posted above.
Am I missing something?
Thanks again!
Create a new GPO only specifying the one change to the LLS that you mentioned. Remove the Authenticated Users from the GPO permissions and add the computer accounts of the DC's to which you want the policy to apply (or put them in a security group and add the DC's to that group), granting Read and Apply Group Policy permissions to the GPO. Link this new GPO to the Domain Controllers OU and make sure it is the last one to be processed for that OU. GP Precedence will apply the last GP that is processed if there is a setting conflict, so the last GP for the OU containing the computer accounts wins.
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
The policy turns the service back on. ^
The problem was, some sites were using it and some were not - the default DC policy turned it on for everyone.
We ended up turning it off for everyone because no one was using it - a few people thought they were...
Thanks everyone!