Anthony- Unfortunately, the GPMC does not expose Deny ACEs in the same neat way that it exposes Allow. What you have to do is go into the Advanced view on Security Filtering, and essentially add the Deny ACE manually for that group using the good old ACL Editor. The easiest way to do a GP deny is to simply set a deny on the "Apply Group Policy" permission, rather than denying the "read" permission. Effectively there is no difference in the end result but to me its 'cleaner'. Also, I would put those handful of employees into a global group and then use that global group to set the deny, rather than having 5 separate ACEs for each employee.
Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anthony Crawford Sent: Wednesday, May 31, 2006 2:03 PM To: [email protected] Subject: [ActiveDir] Deny Read Permissions to Group Policy I have a sub OU with 60 users and I wish to apply a group policy to 55 of the users. I assume the easy way is to deny read permissions to the policy for the handful of employees I do not want the policy to apply to. I have gpmc open and looking under security filtering and can't seem to figure out how to accomplish this. If there is a better method then deny reading of the policy, I'll take the advice. Thanks. Tony List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
