Re: Controlling User Policy via Computer account

"Warner@xxxxxxxxxxxxxxxx" <Warnernospampostalias@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:D150486E-2C86-438A-8E49-22F97CEA5A9D@xxxxxxxxxxxxxxxx
> That did the job.
> Thank you very much for your help.
>
> Warner.
>

You are welcome.
FYI I would prefer use of a SubOU as first posted.

--
Roger

> "Roger Abell" wrote:
>
> > OK, once more.
> > If you remove Authenticated Users
> > 1 add group that has as members the machines that _are_in_the_OU_
> > and for which the user policies should be active
> > 2 add a group of the user accounts for which this should happen
> > (1 and 2 are adding grants of read/apply in the GPO security)
> > 3 set on loopback processing
> > 4 place the machines in the OU to which this GPO is linked
> > then
> > you should see
> > a. on machines not in the group of 1 that there is no impact by
> > user policies of the GPO when a user in group of 2 logs in
> > b. on machines in the group of 1 that there is no impact by user
> > policies of the GPO when users not in the group of 2 log in
> > c. the user polices of the GPO are applied to users of the group
> > of 2 when they log into a machine in the group of 1
> > --
> > Roger
> > "Warner@xxxxxxxxxxxxxxxx"
<Warnernospampostalias@xxxxxxxxxxxxxxxxxxxxxxxxx>
> > wrote in message
news:0B274CF0-D904-413E-9CB5-F9AE023F49F7@xxxxxxxxxxxxxxxx
> > > I've done what you've suggested and the user policy will not apply
based
> > on
> > > the computer being in the group or OU. Even with the Loopback policy,
the
> > > user policy will not apply with the computer being in the group or the
OU.
> > > It only wants to apply the user policy with the user's access. It
doesn't
> > > seem to matter whether the computer is in the group or the OU.
> > >
> > > I want to confirm that the loop back policy is designed to apply the
user
> > > policy based on the security access or OU membership of the computer
> > account.
> > > Is that correct?
> > > If this is correct, it does not seem to work.
> > >
> > > Thanks,
> > > Warner.
> > >
> > >
> > >
> > > "Roger Abell" wrote:
> > >
> > > > The use of loopback GPO processing causes user policies
> > > > to be applied even though the user object are not in the OU.
> > > > That is why loopback was mentioned in all responses so far.
> > > > The machines that have read/apply will see the machine
> > > > policy that says to do loopback - this gives you control over
> > > > which machines will cause the user policies (due to loopback)
> > > > to be enforced. Users will also need read/apply for their
> > > > login at a machine where the loopback processing is active
> > > > to have an affect on their login.
> > > >
> > > > --
> > > > Roger Abell
> > > > Microsoft MVP (Windows Security)
> > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > "Warner@xxxxxxxxxxxxxxxx"
> > <Warnernospampostalias@xxxxxxxxxxxxxxxxxxxxxxxxx>
> > > > wrote in message
> > news:EE7F4D48-285A-48D2-889B-1BC8961AF458@xxxxxxxxxxxxxxxx
> > > > > That sounds good, except that the policy I want to utilize is the
> > > > > screensaver. For HIPAA security we need to force a screensaver
out to
> > all
> > > > > networked PCs, but there are a few exceptions. I was trying to
avoid
> > > > > creating multiple OUs to resolve this.
> > > > > Unfortunately the screensaver is a user policy and not a computer
> > policy
> > > > and
> > > > > therefore it looks like we can not control it based on the
computer
> > with
> > > > just
> > > > > a GPO and security groups.
> > > > >
> > > > > Any other thoughts? Thanks for your help.
> > > > > Warner.
> > > > >
> > > > > "Roger Abell" wrote:
> > > > >
> > > > > > oops - I had a major lapse there
> > > > > > You do not need a subOU.
> > > > > > Since loopback processing is a machine policy you could
> > > > > > link the new loopback GPO on the original OU and use
> > > > > > security group processing so that it will apply to the
> > > > > > group of machines on which it should have an effect and
> > > > > > on the users for which it should be effective, after removing
> > > > > > the read/apply for Authenticated Users.
> > > > > >
> > > > > > --
> > > > > > Roger Abell
> > > > > > Microsoft MVP (Windows Security)
> > > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > > "Roger Abell" <mvpNOSpam@xxxxxxx> wrote in message
> > > > > > news:u2FtzEfOFHA.624@xxxxxxxxxxxxxxxxxxxxxxx
> > > > > > > I see no way to do precisely that, at least not without
> > > > > > > OU restructure. If you would define a new subOU and
> > > > > > > move all machines except the exempt ones into the new
> > > > > > > subOU, and then link a GPO set to use loopback processing
> > > > > > > on the new subOU then you could effect the objective with
> > > > > > > minimum restructure/redef of existing OUs and GPOs.
> > > > > > >
> > > > > > > --
> > > > > > > Roger Abell
> > > > > > > Microsoft MVP (Windows Security)
> > > > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > > > "Warner@xxxxxxxxxxxxxxxx"
> > > > > > <Warnernospampostalias@xxxxxxxxxxxxxxxxxxxxxxxxx>
> > > > > > > wrote in message
> > > > > > news:325DB1CD-5157-42B7-9EC4-46AAC125734D@xxxxxxxxxxxxxxxx
> > > > > > > > Is is possible to Apply a User Policy only if the Computer
> > account
> > > > is a
> > > > > > > > member of a security group?
> > > > > > > > I have a user policy that I want applied to all computers
except
> > a
> > > > few.
> > > > > > I
> > > > > > > > would like to control this based on a security group rather
than
> > an
> > > > OU.
> > > > > > > Is
> > > > > > > > this possible?
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Warner.
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> >
> >
> >


.

Relevant Pages

  • Re: GPO not being applied
    ... They used to be in a workgroup and this SBS domain was the ... machines relative to the removeable media settings. ... Remember Local Policy is ... SBS has an OU with all users and I have a custom GPO bound to ...
    (microsoft.public.windows.server.sbs)
  • RE: GPO settings are not applied
    ... Microsoft Windows XP Operating System Group Policy Result tool v2.0 ... GPO: Automatic_Updates ... GPO: Default Domain Policy ... Secure Proxy Server: N/A ...
    (microsoft.public.windows.server.active_directory)
  • Re: GPO not being applied
    ... They all have USER privilages on their machines. ... They used to be in a workgroup and this SBS domain was the first to join and only those policies were applied. ... did you some time in the past setup a universal policy that prohibits these actions. ... SBS has an OU with all users and I have a custom GPO bound to that OU. ...
    (microsoft.public.windows.server.sbs)
  • Re: Controlling User Policy via Computer account
    ... > (1 and 2 are adding grants of read/apply in the GPO security) ... > 4 place the machines in the OU to which this GPO is linked ... Even with the Loopback policy, ...
    (microsoft.public.windows.group_policy)
  • Re: SFS / Local / Group policy
    ... File and Print sharing not enabled on certain machines. ... I have already ran the gpresult from the command line and no help what so ... policy is through the use of setting up the local policy and then this gets ... "Is your GPO being applied? ...
    (microsoft.public.windows.server.active_directory)
Loading