Re: Controlling User Policy via Computer account

That did the job.
Thank you very much for your help.

Warner.

"Roger Abell" wrote:

> OK, once more.
> If you remove Authenticated Users
> 1 add group that has as members the machines that _are_in_the_OU_
> and for which the user policies should be active
> 2 add a group of the user accounts for which this should happen
> (1 and 2 are adding grants of read/apply in the GPO security)
> 3 set on loopback processing
> 4 place the machines in the OU to which this GPO is linked
> then
> you should see
> a. on machines not in the group of 1 that there is no impact by
> user policies of the GPO when a user in group of 2 logs in
> b. on machines in the group of 1 that there is no impact by user
> policies of the GPO when users not in the group of 2 log in
> c. the user polices of the GPO are applied to users of the group
> of 2 when they log into a machine in the group of 1
> --
> Roger
> "Warner@xxxxxxxxxxxxxxxx" <Warnernospampostalias@xxxxxxxxxxxxxxxxxxxxxxxxx>
> wrote in message news:0B274CF0-D904-413E-9CB5-F9AE023F49F7@xxxxxxxxxxxxxxxx
> > I've done what you've suggested and the user policy will not apply based
> on
> > the computer being in the group or OU. Even with the Loopback policy, the
> > user policy will not apply with the computer being in the group or the OU.
> > It only wants to apply the user policy with the user's access. It doesn't
> > seem to matter whether the computer is in the group or the OU.
> >
> > I want to confirm that the loop back policy is designed to apply the user
> > policy based on the security access or OU membership of the computer
> account.
> > Is that correct?
> > If this is correct, it does not seem to work.
> >
> > Thanks,
> > Warner.
> >
> >
> >
> > "Roger Abell" wrote:
> >
> > > The use of loopback GPO processing causes user policies
> > > to be applied even though the user object are not in the OU.
> > > That is why loopback was mentioned in all responses so far.
> > > The machines that have read/apply will see the machine
> > > policy that says to do loopback - this gives you control over
> > > which machines will cause the user policies (due to loopback)
> > > to be enforced. Users will also need read/apply for their
> > > login at a machine where the loopback processing is active
> > > to have an affect on their login.
> > >
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "Warner@xxxxxxxxxxxxxxxx"
> <Warnernospampostalias@xxxxxxxxxxxxxxxxxxxxxxxxx>
> > > wrote in message
> news:EE7F4D48-285A-48D2-889B-1BC8961AF458@xxxxxxxxxxxxxxxx
> > > > That sounds good, except that the policy I want to utilize is the
> > > > screensaver. For HIPAA security we need to force a screensaver out to
> all
> > > > networked PCs, but there are a few exceptions. I was trying to avoid
> > > > creating multiple OUs to resolve this.
> > > > Unfortunately the screensaver is a user policy and not a computer
> policy
> > > and
> > > > therefore it looks like we can not control it based on the computer
> with
> > > just
> > > > a GPO and security groups.
> > > >
> > > > Any other thoughts? Thanks for your help.
> > > > Warner.
> > > >
> > > > "Roger Abell" wrote:
> > > >
> > > > > oops - I had a major lapse there
> > > > > You do not need a subOU.
> > > > > Since loopback processing is a machine policy you could
> > > > > link the new loopback GPO on the original OU and use
> > > > > security group processing so that it will apply to the
> > > > > group of machines on which it should have an effect and
> > > > > on the users for which it should be effective, after removing
> > > > > the read/apply for Authenticated Users.
> > > > >
> > > > > --
> > > > > Roger Abell
> > > > > Microsoft MVP (Windows Security)
> > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > "Roger Abell" <mvpNOSpam@xxxxxxx> wrote in message
> > > > > news:u2FtzEfOFHA.624@xxxxxxxxxxxxxxxxxxxxxxx
> > > > > > I see no way to do precisely that, at least not without
> > > > > > OU restructure. If you would define a new subOU and
> > > > > > move all machines except the exempt ones into the new
> > > > > > subOU, and then link a GPO set to use loopback processing
> > > > > > on the new subOU then you could effect the objective with
> > > > > > minimum restructure/redef of existing OUs and GPOs.
> > > > > >
> > > > > > --
> > > > > > Roger Abell
> > > > > > Microsoft MVP (Windows Security)
> > > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > > "Warner@xxxxxxxxxxxxxxxx"
> > > > > <Warnernospampostalias@xxxxxxxxxxxxxxxxxxxxxxxxx>
> > > > > > wrote in message
> > > > > news:325DB1CD-5157-42B7-9EC4-46AAC125734D@xxxxxxxxxxxxxxxx
> > > > > > > Is is possible to Apply a User Policy only if the Computer
> account
> > > is a
> > > > > > > member of a security group?
> > > > > > > I have a user policy that I want applied to all computers except
> a
> > > few.
> > > > > I
> > > > > > > would like to control this based on a security group rather than
> an
> > > OU.
> > > > > > Is
> > > > > > > this possible?
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Warner.
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>
.

Relevant Pages

  • Re: Complex GPO Configuration Issue
    ... I have read a lot of posts and articles on loopback processing and have used ... If you enforce a policy then it will override all other polices in the path ... to the user/computer unless another GPO closer to the user/computer is also ... What I'm getting for user configuration is ...
    (microsoft.public.windows.group_policy)
  • Re: GPO not being applied
    ... They used to be in a workgroup and this SBS domain was the ... machines relative to the removeable media settings. ... Remember Local Policy is ... SBS has an OU with all users and I have a custom GPO bound to ...
    (microsoft.public.windows.server.sbs)
  • Re: Applying user object policy (filtering based on computer location)
    ... leave "authenticated users" with read and apply group policy permissions and set deny on NY employees. ... should have the GPO applied via loopback when logging into ...
    (microsoft.public.win2000.group_policy)
  • Re: Applying user object policy (filtering based on computer location)
    ... should have the GPO applied via loopback when logging into ... the computers in NY Desktops OU, ... I have a OU called "NY DESKTOPS" - I created a new policy and enabled Loopback processing mode. ...
    (microsoft.public.win2000.group_policy)
  • Re: Mulitiple Loopback GPOs and one OU
    ... I tested what you've indicated..interesting...it reads from my first policy, ... that loopback is implemented and then it ends up applying the ... explicitly apply computer settings in a GPO via a security filter...they seem ... loopback policy is even read on the GPO that has an explicit Deny on it? ...
    (microsoft.public.windows.group_policy)