RE: Restricting snap-ins
- From: v-xuwen@xxxxxxxxxxxxxxxxxxxx (Vincent Xu [MSFT])
- Date: Tue, 20 Jun 2006 05:45:32 GMT
Hi Bob,
It is a normal behavior. Because the group policy filter in security is
based on user. You can specify to not to apply a GPO on a fixed user but
you cannot restrict him to use only one machine. Just considering that if a
normal user and a admin both log on the same computer, how can we tell the
computer it is different user before they log on?
If you can restrict normal user can only log on to some fixed computers,
you can move these computer account into one OU and deploy the GPO to this
OU only.
Hope the information helps.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================
--------------------
<uCesfWEiGHA.4896@xxxxxxxxxxxxxxxxxxxxx>Thread-Topic: Restricting snap-ins
thread-index: AcaTrP3EKqPd41VLQieIPLNxsDWTSQ==
X-WBNR-Posting-Host: 68.191.63.19
From: =?Utf-8?B?Qm9i?= <86c6c2e6-2146512712@xxxxxxxxxxxxxx>
References: <8A827E50-BA0D-44E9-9233-610EECFB0BB0@xxxxxxxxxxxxx>
DomainSubject: RE: Restricting snap-ins
Date: Mon, 19 Jun 2006 07:31:02 -0700
Lines: 17
Message-ID: <C7442CCE-6EB6-4FFC-B989-3623DA7D9255@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.win2000.group_policy
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.group_policy:40192
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.win2000.group_policy
Hi Vincent,
I found this setting to work just fine. Thank you!
But I would like this setting to only apply to Domain Users and not
changingAdmins.
I've been able to control GPO's to "not" apply to Domain Admins by
Adminsthe GPO's security properties to deny "Apply Group Policy" for Domain
forand Enterprise Admins. This technique works fine for User Configuration
GPO's, but your suggestion is found in the Computer Configuration GPO and
Computersome reason my deny Apply Group Policy seems to be ignored for the
ConfigurationConfiguration GPO.
Is this normal behavior or should the deny work for Computer
GPO's just like it works for the User Configuration GPO?
--
Bob
.
- References:
- RE: Restricting snap-ins
- From: Vincent Xu [MSFT]
- RE: Restricting snap-ins
- Prev by Date: DateTime format on Windows 2003 Domain Controller
- Next by Date: Issue applying group policy with DHCP settings
- Previous by thread: RE: Restricting snap-ins
- Next by thread: RE: Restricting snap-ins
- Index(es):
