Re: Controlling User Policy via Computer account
- From: "Warner@xxxxxxxxxxxxxxxx" <Warnernospampostalias@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 7 Apr 2005 14:49:04 -0700
I actually tried what you stated regarding security group membership,
removing authenticated users, and turning on the loopback option. However,
it only seems to work with users, not computers as the group members.
I'm trying to get the screensaver user policy to apply based on the computer
membership. The same user should login and get a different screensaver
policy based on the membership of the computer. Shouldn't this work using
the loopback policy?
Thanks,
Warner.
"Jim Vierra" wrote:
> It will only apply the computer settings to the computer. The users settings will only apply to users in an OU.
>
> In applies to you should have "Authenticated users" selected. Still it should only apply to the members of the OU.
>
> The answer to your original question:
>
> Is it possible to Apply a User Policy only if the Computer account is a
> member of a security group?
>
> is yes. Just put a WMI filter on the policy. so that it filters for only the computers you want to receive the policy when the user logs in.
>
> Use ADUC query to build and test your WMI filter. The policy will apply but needs to be done with loopback processing if another policy contains settings in conflict with your settings.
>
> You can also apply the policy based on security group membership. Remove the default "Authenticated Users" from the "Applies To" and add the security group into the setting. The policy will only apply "on" members of that security group in that OU. Policy precedence rules still apply. This is why there is "Group Policy Modeling" Modeling will tell you if you are "going" to get the desired outcome before you release the policy. This is a good diagnostic to help troubleshoot and should be used first before attempting to implement. If it won't work in Modeling it isn't going to work in real life. Then if you have issues with policy application you can be pretty sure it's at the workstation or policy engine level and not in policy design.
>
> Policy Modeling is very detailed once you understand it's output.
>
>
> --
> Jim Vierra
> http://msdn.Microsoft.com/theshow/Episode048/default.asp
> "Warner@xxxxxxxxxxxxxxxx" <Warnernospampostalias@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:0B274CF0-D904-413E-9CB5-F9AE023F49F7@xxxxxxxxxxxxxxxx
> > I've done what you've suggested and the user policy will not apply based on
> > the computer being in the group or OU. Even with the Loopback policy, the
> > user policy will not apply with the computer being in the group or the OU.
> > It only wants to apply the user policy with the user's access. It doesn't
> > seem to matter whether the computer is in the group or the OU.
> >
> > I want to confirm that the loop back policy is designed to apply the user
> > policy based on the security access or OU membership of the computer account.
> > Is that correct?
> > If this is correct, it does not seem to work.
> >
> > Thanks,
> > Warner.
> >
> >
> >
> > "Roger Abell" wrote:
> >
> >> The use of loopback GPO processing causes user policies
> >> to be applied even though the user object are not in the OU.
> >> That is why loopback was mentioned in all responses so far.
> >> The machines that have read/apply will see the machine
> >> policy that says to do loopback - this gives you control over
> >> which machines will cause the user policies (due to loopback)
> >> to be enforced. Users will also need read/apply for their
> >> login at a machine where the loopback processing is active
> >> to have an affect on their login.
> >>
> >> --
> >> Roger Abell
> >> Microsoft MVP (Windows Security)
> >> MCSE (W2k3,W2k,Nt4) MCDBA
> >> "Warner@xxxxxxxxxxxxxxxx" <Warnernospampostalias@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >> wrote in message news:EE7F4D48-285A-48D2-889B-1BC8961AF458@xxxxxxxxxxxxxxxx
> >> > That sounds good, except that the policy I want to utilize is the
> >> > screensaver. For HIPAA security we need to force a screensaver out to all
> >> > networked PCs, but there are a few exceptions. I was trying to avoid
> >> > creating multiple OUs to resolve this.
> >> > Unfortunately the screensaver is a user policy and not a computer policy
> >> and
> >> > therefore it looks like we can not control it based on the computer with
> >> just
> >> > a GPO and security groups.
> >> >
> >> > Any other thoughts? Thanks for your help.
> >> > Warner.
> >> >
> >> > "Roger Abell" wrote:
> >> >
> >> > > oops - I had a major lapse there
> >> > > You do not need a subOU.
> >> > > Since loopback processing is a machine policy you could
> >> > > link the new loopback GPO on the original OU and use
> >> > > security group processing so that it will apply to the
> >> > > group of machines on which it should have an effect and
> >> > > on the users for which it should be effective, after removing
> >> > > the read/apply for Authenticated Users.
> >> > >
> >> > > --
> >> > > Roger Abell
> >> > > Microsoft MVP (Windows Security)
> >> > > MCSE (W2k3,W2k,Nt4) MCDBA
> >> > > "Roger Abell" <mvpNOSpam@xxxxxxx> wrote in message
> >> > > news:u2FtzEfOFHA.624@xxxxxxxxxxxxxxxxxxxxxxx
> >> > > > I see no way to do precisely that, at least not without
> >> > > > OU restructure. If you would define a new subOU and
> >> > > > move all machines except the exempt ones into the new
> >> > > > subOU, and then link a GPO set to use loopback processing
> >> > > > on the new subOU then you could effect the objective with
> >> > > > minimum restructure/redef of existing OUs and GPOs.
> >> > > >
> >> > > > --
> >> > > > Roger Abell
> >> > > > Microsoft MVP (Windows Security)
> >> > > > MCSE (W2k3,W2k,Nt4) MCDBA
> >> > > > "Warner@xxxxxxxxxxxxxxxx"
> >> > > <Warnernospampostalias@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >> > > > wrote in message
> >> > > news:325DB1CD-5157-42B7-9EC4-46AAC125734D@xxxxxxxxxxxxxxxx
> >> > > > > Is is possible to Apply a User Policy only if the Computer account
> >> is a
> >> > > > > member of a security group?
> >> > > > > I have a user policy that I want applied to all computers except a
> >> few.
> >> > > I
> >> > > > > would like to control this based on a security group rather than an
> >> OU.
> >> > > > Is
> >> > > > > this possible?
> >> > > > >
> >> > > > > Thanks,
> >> > > > > Warner.
> >> > > >
> >> > > >
> >> > >
> >> > >
> >> > >
> >>
> >>
> >>
.
- References:
- Controlling User Policy via Computer account
- From: Warner@nospam.postalias
- Re: Controlling User Policy via Computer account
- From: Roger Abell
- Re: Controlling User Policy via Computer account
- From: Roger Abell
- Re: Controlling User Policy via Computer account
- From: Warner@nospam.postalias
- Re: Controlling User Policy via Computer account
- From: Roger Abell
- Re: Controlling User Policy via Computer account
- From: Warner@nospam.postalias
- Re: Controlling User Policy via Computer account
- From: Jim Vierra
- Controlling User Policy via Computer account
- Prev by Date: USB Storage
- Next by Date: Re: USB Storage
- Previous by thread: Re: Controlling User Policy via Computer account
- Next by thread: Re: Controlling User Policy via Computer account
- Index(es):
Relevant Pages
|
