Re: Controlling User Policy via Computer account

Tech-Archive recommends: Fix windows errors by optimizing your registry

I've done what you've suggested and the user policy will not apply based on
the computer being in the group or OU. Even with the Loopback policy, the
user policy will not apply with the computer being in the group or the OU.
It only wants to apply the user policy with the user's access. It doesn't
seem to matter whether the computer is in the group or the OU.

I want to confirm that the loop back policy is designed to apply the user
policy based on the security access or OU membership of the computer account.
Is that correct?
If this is correct, it does not seem to work.

Thanks,
Warner.



"Roger Abell" wrote:

> The use of loopback GPO processing causes user policies
> to be applied even though the user object are not in the OU.
> That is why loopback was mentioned in all responses so far.
> The machines that have read/apply will see the machine
> policy that says to do loopback - this gives you control over
> which machines will cause the user policies (due to loopback)
> to be enforced. Users will also need read/apply for their
> login at a machine where the loopback processing is active
> to have an affect on their login.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Warner@xxxxxxxxxxxxxxxx" <Warnernospampostalias@xxxxxxxxxxxxxxxxxxxxxxxxx>
> wrote in message news:EE7F4D48-285A-48D2-889B-1BC8961AF458@xxxxxxxxxxxxxxxx
> > That sounds good, except that the policy I want to utilize is the
> > screensaver. For HIPAA security we need to force a screensaver out to all
> > networked PCs, but there are a few exceptions. I was trying to avoid
> > creating multiple OUs to resolve this.
> > Unfortunately the screensaver is a user policy and not a computer policy
> and
> > therefore it looks like we can not control it based on the computer with
> just
> > a GPO and security groups.
> >
> > Any other thoughts? Thanks for your help.
> > Warner.
> >
> > "Roger Abell" wrote:
> >
> > > oops - I had a major lapse there
> > > You do not need a subOU.
> > > Since loopback processing is a machine policy you could
> > > link the new loopback GPO on the original OU and use
> > > security group processing so that it will apply to the
> > > group of machines on which it should have an effect and
> > > on the users for which it should be effective, after removing
> > > the read/apply for Authenticated Users.
> > >
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "Roger Abell" <mvpNOSpam@xxxxxxx> wrote in message
> > > news:u2FtzEfOFHA.624@xxxxxxxxxxxxxxxxxxxxxxx
> > > > I see no way to do precisely that, at least not without
> > > > OU restructure. If you would define a new subOU and
> > > > move all machines except the exempt ones into the new
> > > > subOU, and then link a GPO set to use loopback processing
> > > > on the new subOU then you could effect the objective with
> > > > minimum restructure/redef of existing OUs and GPOs.
> > > >
> > > > --
> > > > Roger Abell
> > > > Microsoft MVP (Windows Security)
> > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > "Warner@xxxxxxxxxxxxxxxx"
> > > <Warnernospampostalias@xxxxxxxxxxxxxxxxxxxxxxxxx>
> > > > wrote in message
> > > news:325DB1CD-5157-42B7-9EC4-46AAC125734D@xxxxxxxxxxxxxxxx
> > > > > Is is possible to Apply a User Policy only if the Computer account
> is a
> > > > > member of a security group?
> > > > > I have a user policy that I want applied to all computers except a
> few.
> > > I
> > > > > would like to control this based on a security group rather than an
> OU.
> > > > Is
> > > > > this possible?
> > > > >
> > > > > Thanks,
> > > > > Warner.
> > > >
> > > >
> > >
> > >
> > >
>
>
>
.

Relevant Pages

  • Re: Controlling User Policy via Computer account
    ... and for which the user policies should be active ... on machines not in the group of 1 that there is no impact by ... Even with the Loopback policy, ...
    (microsoft.public.windows.group_policy)
  • Re: Controlling User Policy via Computer account
    ... > (1 and 2 are adding grants of read/apply in the GPO security) ... > 4 place the machines in the OU to which this GPO is linked ... Even with the Loopback policy, ...
    (microsoft.public.windows.group_policy)
  • Re: Windows XP remember GP when removed from domain
    ... security template ... ... Windows Platform Support Team ... > machines is what I'd ... >>Security policy is an actual registry change that needs ...
    (microsoft.public.windows.group_policy)
  • Re: Loopback Processing and Deny Apply in ACL
    ... To clarify how policy loopback works: ... The computer configuration settings from this list are applied to the ... When the user logs in, different behaviour occurs according to the policy ...
    (microsoft.public.win2000.group_policy)
  • Re: Can anyone shed some light on what my programmers want me to do?
    ... Essentially what they are asking you to do is deploy .Net security policies on your machines such that someone could run a .Net app from a network drive. ... From there you can adjust Framework security settings to allow any apps run from the Local Intranet Zone to have Full Trust. ... Essentially what that does is create an .MSI file that contains these security policy settings. ...
    (microsoft.public.dotnet.general)