Re: Controlling User Policy via Computer account

Tech-Archive recommends: Fix windows errors by optimizing your registry

That sounds good, except that the policy I want to utilize is the
screensaver. For HIPAA security we need to force a screensaver out to all
networked PCs, but there are a few exceptions. I was trying to avoid
creating multiple OUs to resolve this.
Unfortunately the screensaver is a user policy and not a computer policy and
therefore it looks like we can not control it based on the computer with just
a GPO and security groups.

Any other thoughts? Thanks for your help.
Warner.

"Roger Abell" wrote:

> oops - I had a major lapse there
> You do not need a subOU.
> Since loopback processing is a machine policy you could
> link the new loopback GPO on the original OU and use
> security group processing so that it will apply to the
> group of machines on which it should have an effect and
> on the users for which it should be effective, after removing
> the read/apply for Authenticated Users.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Roger Abell" <mvpNOSpam@xxxxxxx> wrote in message
> news:u2FtzEfOFHA.624@xxxxxxxxxxxxxxxxxxxxxxx
> > I see no way to do precisely that, at least not without
> > OU restructure. If you would define a new subOU and
> > move all machines except the exempt ones into the new
> > subOU, and then link a GPO set to use loopback processing
> > on the new subOU then you could effect the objective with
> > minimum restructure/redef of existing OUs and GPOs.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Warner@xxxxxxxxxxxxxxxx"
> <Warnernospampostalias@xxxxxxxxxxxxxxxxxxxxxxxxx>
> > wrote in message
> news:325DB1CD-5157-42B7-9EC4-46AAC125734D@xxxxxxxxxxxxxxxx
> > > Is is possible to Apply a User Policy only if the Computer account is a
> > > member of a security group?
> > > I have a user policy that I want applied to all computers except a few.
> I
> > > would like to control this based on a security group rather than an OU.
> > Is
> > > this possible?
> > >
> > > Thanks,
> > > Warner.
> >
> >
>
>
>
.

Relevant Pages

  • Fwd: Oh Dear, Where to start?!
    ... It seems to me you need two things: an organizational policy, ... finish college and break into the real world of computer security. ... experience in the field of network security and policy ... updates, driver updates, and recommended updates. ...
    (Security-Basics)
  • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
    ... All NetScreen appliances rely on custom-designed ASICs (Application ... Specific Integrated Circuits) for security policy enforcement. ... supports a finite number of "rules" or "policies". ...
    (Firewall-Wizards)
  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
    ... The report you cite is CheckPoint originated and deals with older NetScreen ... All NetScreen appliances rely on custom-designed ASICs (Application ... Specific Integrated Circuits) for security policy enforcement. ...
    (Firewall-Wizards)
  • Re: No Shut Down or Restart for Domain Admins
    ... run rsop.msc from your DC and check which policy is responsible to this. ... I have created a group policy in a development network and imported it ... NT AUTHORITY\Authenticated Users Read (from Security Filtering) No ... Enforce user logon restrictions Enabled ...
    (microsoft.public.windows.server.active_directory)