Re: policy for only two computers

From: Carla (anonymous_at_discussions.microsoft.com)
Date: 09/18/04 

Date: Sat, 18 Sep 2004 13:25:50 -0700

Cary,
You are really great thank you very much for all this
information, I will try to read it again and again to
understand all details. In the mean time, I also think it
will help me to understand the concept a little bit faster
if you can let me know if anything missing in these steps:

1. In AD, MyUsers OU has all network users and it has a
policy Group Policy where Proxy setting is disabled in
User Configuration-> Internet Explorer (that is what we
need for all users. So I have nothing here for computer
configuration, you know that I need to enable it if users
are coming in two of my computers)
2. I created a new OU: MyComputers at the same level of
MyUsers in AD and move my two computers there.
3. On MyComputers OU, I created a new policy and set Group
Policy Loopback Processing enabled in Computer
Configuration of this policy (my understanding I do not
need to touch User Configuration here)

Is this all I need to do? If not, can you give me the rest?
Thanks,
Carla.

>-----Original Message-----
>Carla,
>
>Since you have never done Group Policy before please
allow me to give you
>the basics. I will try to be brief ( I tend to babble on
endlessly! ).
>
>First of all you need to know that GPOs are linked to
four levels: Local,
>Site, Domain and OU. The pecking order is the same as I
just described.
>So, if there is a Site GPO that has a particular setting
that conflicts with
>a setting in a Domain-linked GPO then the setting in the
Domain-linked GPO
>will win. Now, if there were a setting in an OU-linked
GPO that conflicted
>with a setting in the Domain-linked OU then the OU-linked
GPO would win.
>
>But, what happens if there are conflicting settings at
the same level?
>Easy. The pecking order is how the GPOs appear in the
Editor. What is at
>the bottom is processed first and what is at the top of
the list is
>processed last. So, the 'higher' one wins. Not too
complicated so far!
>
>Now, how are GPOs created and where are they stored. A
GPO is created when
>you go to an OU ( I am going to focus on the OU level as
this is the most
>common level that you would be using ), right click that
OU, select
>Properties, go to the Group Policy tab and click on the
New... button. You
>then give it a 'friendly' name and click on the edit
button to make the
>settings. Please note that the GPO is comprised of two
halves: the GPT and
>the GPC. The GPT ( Group Policy Template ) is the part
of the GPO that
>resides in the SYSVOL share while the GPC ( Group Policy
Container ) is the
>part that resides in the Active Directory. We will leave
it at that for the
>time being.
>
>So, you are in the GPO Editor and have clicked on the
edit button. You now
>see two halves: the Computer Configuration half and the
User Configuration
>half. You need to know that any settings that you
configure in the Computer
>Configuration half are processed when the computer
restarts ( well, mostly.
>There is a way around this ). Similarly, any settings
that you configure in
>the User Configuration half are processed when the user
logs on ( and,
>again, there is a way around this ). So, just to be
thorough, if you wanted
>some settings to affect the user side you would have to
configure those
>settings in the user configuration half. I know that
this seems obvious but
>I need to make this clear. You will see why in a second.
>
>So, the process looks like this: you turn on the
computer at the beginning
>of the day. When the computer starts up it will process
any GPOs of which
>it falls under the influence ( meaning: any GPOs that are
linked to the OU
>in which it - the computer account object - resides ).
You are then
>prompted to logon. So, you log on by entering a user
name and password.
>Now any GPOs that are linked to the OU in which the user
account object
>resides are processed. Hopefully you see that first the
computer
>configuration settings are processed ( based on the
location of the computer
>account object ) and then the user configuration settings
are processed (
>based on the location of the user account object ). This
is a really
>important concept to understand!
>
>Now, what happens if you have some 'special' computers
and you want to make
>sure that they are locked down good and tight no matter
who logs on ( well,
>with a few high-level exceptions ). You would take a
look at Group Policy
>Loopback Processing. What exactly does this do? It
alters the way that
>GPOs are processed.
>
>I mentioned that there are two modes in Loopback: Replace
and Merge.
>
>Replace is what you would probably want in this
situation. What this does
>is kinda neat. The computer boots up. It processes any
GPOs that are
>linked to the OU in which the computer account object
resides and then you
>are prompted to log on. You log on by entering a user
name and password (
>sound familiar? ). Now, it completely ignores any GPOs
that are linked to
>the OU in which the user account object resides! Yep!
Completely ignores
>it/them. Does not process nothing! Nada! Nichts! So,
any settings that
>might be configured in the user configuration side of
things are lost?
>Nope! You would configure them in the GPO that is linked
to the OU in which
>the computer account object resides. Huh? Processes
user configuration
>settings from a GPO that is linked to the OU in which the
computer account
>object resides? But I just said, above, that it was a
really important
>concept to understand how things are processed and now I
am contradicting
>that! Well, yes, but no! This is Loopback processing!
It works this way
>only in Loopback processing! And it affects only those
users when logging
>onto the computer account objects that fall under the
influence of this
>Loopback GPO.
>
>Merge is similar to replace. There is one difference.
With Merge any user
>configuration settings that might be set in any GPOs that
are linked to the
>OU in which the user account object resides are actually
processed. If
>there is a conflicting setting ( between the 'computer'
configuration and
>the 'user' configuration ) then the setting in the GPO
linked to the OU in
>which the user account object resides wins.
>
>I mentioned a 'few high-level exceptions' a couple of
paragraphs above.
>What does that mean? Well, if you are locking down a
computer - or group of
>computers - with the Loopback GPO I am pretty sure that
you do not want the
>Domain Admins group to be affected by this GPO. I
stated that this
>Loopback affects only those users while logging into the
computer account
>objects that fall under the influence of the Loopback
GPO. Well, a member
>of the Domain Admins is a user! Just like you and me (
well, mostly and in
>this case definitely ). How do we make sure that these
special groups are
>not affected by the Loopback GPO ( imagine how difficult
it would be to
>troubleshoot and to fix things if you were locked
down..... ). Well, in the
>security tab of each GPO you will notice that there is a
group called
>Authenticated Users that have both the READ and APPLY
GROUP POLICY rights.
>You would want to remove this group and put in another
security group, one
>which has only those user account objects that you want
to be affected by
>this GPO. The key is to make sure that this group has
both the READ and
>APPLY GROUP POLICY rights.
>
>There are several other things that affect GPOs. Slow
links are one. Most
>GPOs are not processed when the computer detects a slow
link. What is a
>slow link? By default, anything under 500kbps. This can
be changed
>however!
>
>Does this help you?
>
>Cary
>
>
>"Carla" <anonymous@discussions.microsoft.com> wrote in
message
>news:2b9001c49d8f$d4049210$a401280a@phx.gbl...
>> Hello Cary,
>> Thank you very much for the reply. I have never create a
>> Group Policy yet and I just want to make sure if I
>> understood what I should do. We have MyUsers OU in our
AD,
>> and there is a Group Policy where Proxy setting is
>> disabled in User Configuration-> Internet Explorer
>> Maintenance -> Connection.
>>
>> Now are you suggestion I should create a new OU as
>> MyComputers and under MyUsers and move my two computers
>> from Computers container to MyComputers OU and create a
>> new policy on it and set Group Policy Loopback
Processing
>> enabled in Computer Configuration.
>>
>> Also I have another question, my two computers are
client
>> computers in the remote location connected through VPN,
>> they are not in my LAN, does this make any difference?
>> Thank you very much for your help in advance.
>> Carla.
>>
>> >-----Original Message-----
>> >Carla,
>> >
>> >Take a look at Group Policy Loopback Processing (
>> probably Merge Mode - with
>> >Replace Mode being the other possibility ).
>> >
>> >You would need to make sure that only the two computers
>> in question are in
>> >the same OU.....
>> >
>> >HTH,
>> >
>> >Cary
>> >
>> >"Carla" <anonymous@discussions.microsoft.com> wrote in
>> message
>> >news:2aee01c49d7e$db167a20$a401280a@phx.gbl...
>> >> Hello,
>> >> I am trying to create a policy that un-check Internet
>> >> Options -> Connection -> LAN Settings -> Proxy
Server ->
>> >> Use Proxy Server for LAN setting in Internet Explorer
>> for
>> >> all users and check it if users log in only
MyComputer1
>> >> and MyComputer2 not for the rest of computers in the
>> >> network.
>> >> Thanks,
>> >> Carla
>> >>
>> >
>> >
>> >.
>> >
>
>
>.
>

Loading