Re: Block GPO across trusted domains
From: andrea cuozzo (andreacuozzo_at_hotmail.com)
Date: 07/27/04
- Next message: Jeff: "cannot logon locally"
- Previous message: Dmitry Korolyov [MVP]: "Re: One table to be displayed at logon"
- In reply to: Darren Mar-Elia: "Re: Block GPO across trusted domains"
- Next in thread: Darren Mar-Elia: "Re: Block GPO across trusted domains"
- Reply: Darren Mar-Elia: "Re: Block GPO across trusted domains"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 27 Jul 2004 22:30:08 +0200
Darren, thanks for the answer, but (as a loyal subscriber of Windows .NET
Magazine) let me abuse of yout patience and try to make my question clearer:
- Domain B (win2k3) trusts domain A (win2k3) with a mono-directional
external trust (completely different namespaces)
- On Domain A. users are subjected to several policies
- On Domain B is a Terminal Server (with Citrix) with a loopback policy (in
replace mode) applied to its computer account, that removes items from the
desktop (among other configurations)
- When a user from domain A logs on to the Terminal Server he sees the
effect of the loopback policy, but also the effect of the policies applied
on domain A (a logon script, in my case). I'm the administrator of domain B,
responsible for the availability of terminal server applications, and I
wouldn't like to find out that a change in the policy from domain A (for
instance, new software installation) may interfere with my servers.
So my desire is to (somehow) block the application of policies coming from
domain A when the user logs on to the Terminal Server, and I thought that
loopback configuration was exactly what I needed, but instead policies from
domain A still seem to get applied.
thanx again
andrea
"Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> ha scritto nel
messaggio news:Ovmt0k2cEHA.384@TK2MSFTNGP10.phx.gbl...
> The simplest solution I can think of is to remove the Authenticated Users
> ACE on that GPO and replace it with the Domain Users group from the
trusted
> domain. The only issue with this is that Authenticated Users covers
computer
> accounts as well, so if you have any computer-specific policy in that GPO,
> you'll need to add the Domain Computers group as well as Domain Users.
>
> Hope that helps.
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Management
> http://www.gpoguy.com
>
>
>
> "andrea cuozzo" <andreacuozzo@hotmail.com> wrote in message
> news:uu01CD0cEHA.2140@TK2MSFTNGP09.phx.gbl...
> > Hello,
> >
> > I'd like to block GPO application over users that logon to a trusted
> domain
> > from a trusting workstation; here's my situation:
> >
> > 1. domain B (win2k3) trusts domain A (win2k3)
> > 2. user MYTEST belongs to domain A, and to the TEST ou
> > 3. a GPO is applied on the TEST ou in domain A that maps a network drive
> via
> > a wsh script
> > 4. workstation MYWKS belongs to domain B
> >
> > when user MYTEST logs on to the A domain on the MYWKS computer, the GPOs
> > from domain A get applied to it, and the map drive script runs. Is there
a
> > way to prevent GPO application if the user is logging from a trusted
> domain
> > ? (eg. if loggin from domain B then don't block domain A GPO application
> ?)
> >
> > thanxs
> >
> > andrea
> >
> >
>
>
- Next message: Jeff: "cannot logon locally"
- Previous message: Dmitry Korolyov [MVP]: "Re: One table to be displayed at logon"
- In reply to: Darren Mar-Elia: "Re: Block GPO across trusted domains"
- Next in thread: Darren Mar-Elia: "Re: Block GPO across trusted domains"
- Reply: Darren Mar-Elia: "Re: Block GPO across trusted domains"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
