Re: Domain Controller Security Policy
From: George Barley (georgebarleyit_nospam_at_yahoo.com)
Date: 04/28/04
- Next message: Peter Loerns: "Re: Errors 1202 on DCs"
- Previous message: Steven Umbach: "Re: Applying user configuration settings to an OU containing only computer objects"
- In reply to: Darren Mar-Elia: "Re: Domain Controller Security Policy"
- Next in thread: Andrew Mitchell: "Re: Domain Controller Security Policy"
- Reply: Andrew Mitchell: "Re: Domain Controller Security Policy"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 27 Apr 2004 22:38:36 -0500
Darren,
My goal is to let a couple of users log on to the Domain Controller
machine with ability to do nothing but run this one application, which
is a RIP (Raster Image Processor).
I understand I have to do it in the Domain Controller Security Policy,
but I don't understand how to differentiate between Administrators, and
say a group called "Rip_Users," to where Adminis can do anything, and
"Rip_Users" can't do but run the RIP app. Where, how, do I do this? I
need step-by-step instructions. I am very new to Group Policy.
Thank you!
Regards,
George
Darren Mar-Elia wrote:
> George-
> It really depends upon what you're trying to control. In your question you
> allude to things like the ability to change things like DNS, Exchange,etc.
> Not all of this stuff is easily delegate-able. In general, Administrators
> can do anything and it goes downhill from there. You can use security policy
> to delegate particular rights to particular user groups but there is no easy
> or clean solution for controlling everything. You can of course use
> Restricted Groups policy to selectively add user groups into built-in groups
> that do grant some capabilities but it really depends upon exactly what
> you're trying to delegate.
>
> Darren
> "George Barley" <georgebarleyit_nospam@yahoo.com> wrote in message
> news:uo4pF2LLEHA.1032@tk2msftngp13.phx.gbl...
>
>>Hello, I posted this as the last in a series of questins in the AD
>>group, but got no answer. Please help me figure this out.
>>
>>I understand how to create a new policy for the domain, an OU, or site,
>>but I want another policy for the Domain Controller (the current one is
>>the Start>Programs>Administrative Tools>Domain Controller Security
>>Policy), that only applies when a user logs on physically to the Domain
>>Controller machine. I want the settings (in that policy) for "Print
>>Operators," for example, to be different than the settings for the
>>Administrators, Domain Admins groups.
>>
>>How do I create a new policy for the Domain Controller so I can
>>differentiate between Admins logging on to the DC machine and "Print
>>Operators" or any other group I choose?
>>
>>Basically, I want Admins to do whatever they want when logging on to the
>>Domain Controller, but I also want a small group of users to log in to
>>the same Domain Controller machine, but be able to only use a certain
>>application, and not be able to change stuff like DNS, Exchange, ISA, etc.
>>
>>Thanks for the patience and advice,
>>George
>>georgebarleyit_nospam@yahoo.com (get rid of "_nospam" to email me)
>
>
>
- Next message: Peter Loerns: "Re: Errors 1202 on DCs"
- Previous message: Steven Umbach: "Re: Applying user configuration settings to an OU containing only computer objects"
- In reply to: Darren Mar-Elia: "Re: Domain Controller Security Policy"
- Next in thread: Andrew Mitchell: "Re: Domain Controller Security Policy"
- Reply: Andrew Mitchell: "Re: Domain Controller Security Policy"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
