GPO Exception ?

Hello again!

I had asked a question about where to apply the policy to disable the Licence Logging Service, and I found the location. (With some help! icon_thumright.gif)

Here is the problem... I don't want to disable it on all DC's. icon_sad.gif


Is there a way to setup an exception for just the ones I want to disable this service on?

Thanks for the help! I'm not much on a Windows guy... but I'm getting there! icon_wink.gif

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Just curious, how many DCs do you have and how many do you need this applied to?
  • bwcartybwcarty Member Posts: 422 ■■■□□□□□□□
    Assuming the policy to disable the service is in a dedicated GPO, you could move the servers you want to disable the service on to a separate OU and link the GPO to that OU only.

    Alternatively, you could leave all the servers in their current OU(s) and use security filtering on the GPO. Add all the servers you want the service disabled on to a security group, and make sure that that group is the only entry listed in the security filtering settings of the GPO.
    Help eradicate blood cancers with a donation to the Leukemia & Lymphoma Society.
  • ClaymooreClaymoore Member Posts: 1,637
    bwcarty wrote: »
    Assuming the policy to disable the service is in a dedicated GPO, you could move the servers you want to disable the service on to a separate OU and link the GPO to that OU only.

    Don't move the DCs out of the default Domain Controllers OU.
    Jane Lewis's Weblog : Just don't do it !
    bwcarty wrote: »
    Alternatively, you could leave all the servers in their current OU(s) and use security filtering on the GPO. Add all the servers you want the service disabled on to a security group, and make sure that that group is the only entry listed in the security filtering settings of the GPO.

    While security groups would be the way to do this since you shouldn't move the DCs out of the domain controllers OU, having different GPOs applied to different domain controllers is still a bad idea. Why do you want to disable the License Logging Service on some DCs and not others?

    Description of the License Logging Service in Windows Server operating systems
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Claymoore wrote: »
    Don't move the DCs out of the default Domain Controllers OU.
    Jane Lewis's Weblog : Just don't do it !

    You could nest another OU within that though, couldn't you?
  • jbrad95706jbrad95706 Member Posts: 225
    dynamik wrote: »
    Just curious, how many DCs do you have and how many do you need this applied to?

    I only have a few of them here - most of them belong to other locations. I just want it applied to the DC's I have here; however, they are all clumped in the same folder. :)
  • jbrad95706jbrad95706 Member Posts: 225
    Claymoore wrote: »
    Don't move the DCs out of the default Domain Controllers OU.
    Jane Lewis's Weblog : Just don't do it !



    While security groups would be the way to do this since you shouldn't move the DCs out of the domain controllers OU, having different GPOs applied to different domain controllers is still a bad idea. Why do you want to disable the License Logging Service on some DCs and not others?

    Description of the License Logging Service in Windows Server operating systems

    They don't all belong to me, and I don't want to step on the toes of the remote site's admins.
  • jbrad95706jbrad95706 Member Posts: 225
    bwcarty wrote: »
    Assuming the policy to disable the service is in a dedicated GPO, you could move the servers you want to disable the service on to a separate OU and link the GPO to that OU only.

    Alternatively, you could leave all the servers in their current OU(s) and use security filtering on the GPO. Add all the servers you want the service disabled on to a security group, and make sure that that group is the only entry listed in the security filtering settings of the GPO.

    Thanks! I'm going to read up on this. Would this be for just the one part of the policy or for everything? I want the rest of the policy to apply, just not the part about the LLS.

    Thanks again! (Everyone) icon_cheers.gif
  • ClaymooreClaymoore Member Posts: 1,637
    jbrad95706 wrote: »
    They don't all belong to me, and I don't want to step on the toes of the remote site's admins.

    Ok, let me ask it another way. Why do you want to disable the License Logging service?
  • jbrad95706jbrad95706 Member Posts: 225
    Claymoore wrote: »
    Ok, let me ask it another way. Why do you want to disable the License Logging service?

    I'm trying to clean up the event logs, and the LLS is just one of my issues flooding my logs with junk.

    Were not using it here, but it's turned on through a GP because (as far as I know) the remote sites are using it.

    To my understanding it's off by default in 2003, and not part of 2008 due to the reasons stated in the link you posted above.

    Am I missing something? icon_confused.gif:


    Thanks again! icon_cheers.gif
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    Only way I can think of to do what you're asking

    Create a new GPO only specifying the one change to the LLS that you mentioned. Remove the Authenticated Users from the GPO permissions and add the computer accounts of the DC's to which you want the policy to apply (or put them in a security group and add the DC's to that group), granting Read and Apply Group Policy permissions to the GPO. Link this new GPO to the Domain Controllers OU and make sure it is the last one to be processed for that OU. GP Precedence will apply the last GP that is processed if there is a setting conflict, so the last GP for the OU containing the computer accounts wins.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • rwwest7rwwest7 Member Posts: 300
    Why not open a TS session to the servers and just disable the service yourself? Or just right click them in AD, choose manage, then disable the service yourself. Guess what I'm getting at is why don't you just disable the service yourself. It's only like 4 mouse clicks.
  • jbrad95706jbrad95706 Member Posts: 225
    rwwest7 wrote: »
    Why not open a TS session to the servers and just disable the service yourself? Or just right click them in AD, choose manage, then disable the service yourself. Guess what I'm getting at is why don't you just disable the service yourself. It's only like 4 mouse clicks.

    The policy turns the service back on. ^

    The problem was, some sites were using it and some were not - the default DC policy turned it on for everyone.

    We ended up turning it off for everyone because no one was using it - a few people thought they were... icon_thumright.gif


    Thanks everyone!
Sign In or Register to comment.