Windows 2000 Group Policy design: An OU-level GPO denies “My Network Places” and “System” (Control Panel) to users. Managers (a Domain Local group) should regain access to My Network Places but still be blocked from System. What is the best configuration to achieve this with correct precedence?

Difficulty: Medium

Add Managers to the GPO ACL and disable (not deny) their Read and Apply permissions
Add Managers to the GPO ACL and explicitly deny their Read and Apply permissions
Create a second GPO for the OU; grant Managers Apply/Read, deny Authenticated Users, configure the new GPO to deny System; set the original GPO to higher priority
Create a second GPO for the OU; grant Managers Apply/Read, disable Authenticated Users Apply/Read, configure the new GPO to allow My Network Places; set the original GPO to higher priority
None of above

Correct Answer: Create a second GPO for the OU; grant Managers Apply/Read, disable Authenticated Users Apply/Read, configure the new GPO to allow My Network Places; set the original GPO to higher priority

Explanation:

Introduction / Context:
When multiple GPOs apply to the same OU, Windows processes them by link order (lowest number wins last). You can fine-tune targeting via the GPO security filter (ACL). Here, the base GPO blocks both “My Network Places” and “System.” Managers need an exception for only My Network Places while still inheriting the System block.

Given Data / Assumptions:

GPO-A (original) blocks My Network Places and blocks System.
Managers need My Network Places allowed; System must remain blocked.
Managers are a Domain Local group in the same domain.
Authenticated Users currently receive GPO-A.

Concept / Approach:

Use an additional GPO (GPO-B) scoped only to Managers that flips just the My Network Places setting to “Enabled/Allow,” leaving System untouched. Ensure GPO-A has higher precedence (processed later) only for settings we still want enforced. Because we want the exception to win for My Network Places, set the link order so GPO-B is processed later than GPO-A for Managers only. Achieve scoping by removing or disabling Authenticated Users Apply permission on GPO-B and granting Managers Apply/Read.

Step-by-Step Solution:

Create GPO-B at the same OU.In GPO-B, configure “Allow access to My Network Places” (or remove the restriction).On GPO-B ACL, allow Managers Read/Apply; remove/disable Authenticated Users Read/Apply.Set link order so that for Managers, GPO-B applies and overrides the My Network Places setting; do not configure System here, so GPO-A’s System block still applies.

Verification / Alternative check:

Use Resultant Set of Policy (RSoP) or gpresult to confirm Managers see My Network Places enabled while the System CPL restriction persists.

Why Other Options Are Wrong:

Explicit deny Read/Apply (option B) blocks the GPO entirely for Managers, preventing exceptions.

Option A does not create an exception; it simply disables processing.

Option C misconfigures the new GPO to deny System again, complicating precedence unnecessarily.

None: A clear solution exists (option D).

Common Pitfalls:

Using Deny instead of removing Apply, which overrides all; forgetting to verify link order and security filtering with RSoP.

Final Answer:

Create a second GPO for the OU; grant Managers Apply/Read, disable Authenticated Users Apply/Read, configure the new GPO to allow My Network Places; set the original GPO to higher priority

Discussion & Comments

No comments yet. Be the first to comment!

More Questions from Windows 2000 Server

Discussion & Comments