Recipe 9.10 Disabling the User or Computer Settings in a GPO | Active Directory Cookbook, 3rd Edition

9.10.1 Problem

You want to disable either the user or computer settings of a GPO.

9.10.2 Solution

9.10.2.1 Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container.
Right-click on the target GPO and select GPO Status
You can either select User Configuration Settings Disabled to disable the user settings or Computer Configuration Settings Disabled to disable the computer settings.

9.10.2.2 Using VBScript

' This code can enable or disable the user or computer settings of a GPO. ' ------ SCRIPT CONFIGURATION ------ strGPO      = "<GPOName>"        ' e.g. Sales GPO strDomain   = "<DomainDNSName>"  ' e.g. rallencorp.com boolUserEnable = False boolCompEnable = True ' ------ END CONFIGURATION --------- set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( )    ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the specified GPO set objGPMSearchCriteria = objGPM.CreateSearchCriteria objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _                          objGPMConstants.SearchOpEquals, cstr(strGPO) set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria) if objGPOList.Count = 0 then    WScript.Echo "Did not find GPO: " & strGPO    WScript.Echo "Exiting."    WScript.Quit elseif objGPOList.Count > 1 then    WScript.Echo "Found more than one matching GPO. Count: " & _                 objGPOList.Count    WScript.Echo "Exiting."    WScript.Quit else    WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName end if ' You can comment out either of these if you don't want to set one: objGPOList.Item(1).SetUserEnabled boolUserEnable WScript.Echo "User settings: " & boolUserEnable objGPOList.Item(1).SetComputerEnabled boolCompEnable WScript.Echo "Computer settings: " & boolCompEnable

9.10.3 Discussion

GPOs consist of two parts, a user and a computer section. The user section contains settings that are specific to a user that logs into a computer, while the computer section defines settings that apply to the computer regardless of which user logs in. You can enable or disable either the user configuration or computer configuration sections of a GPO, or both. By disabling both, you effectively disable the GPO. This can be useful if you want to stop a GPO from applying settings to clients, but you do not want to delete it, remove the links, or clear the settings.

Disabling the user configuration or the computer configuration is useful in environments that have separate OUs for computers and users. Typically, you would disable the computer configuration for GPOs linked to the users' OU and vice versa. Disabling half the GPO in the way makes GPO processing more efficient and can reduce logon times.

9.10.3.1 Using VBScript

First, I have to find the target GPO. To do this, I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If zero or more than one are returned, I abort the script. If only one is returned, I call the SetUserEnabled and SetComputerEnable methods to either enable or disable the settings per the configuration.

9.10.4 See Also

MSDN: GPMGPO.SetUserEnabled and MSDN: GPMGPO.SetComputerEnabled