Re: Group Policy Precedence
- From: "Simon Geary" <simon_geary@xxxxxxxxxxx>
- Date: Mon, 11 Apr 2005 00:23:39 +0100
OK, how about this as a revised suggestion to overcome that:
1. Create new GPO with the lockdown settings and apply it to all Domain
Users.
2. Create a new security group, but don't add any users to it.
3. On the ACL of the Group Policy, assign the new security group the 'Deny
Read' and 'Deny Apply Group Policy' permission.
4. When you find users you don't want the settings to apply to, add them to
the security group. The Deny permission from the security group will trump
the Allow permission from Domain Users.
By the way, it's pretty trivial to script the creation of a new security
group that automatically contains all user accounts. I still reckon the
first suggestion is the best way to go for Group Policy simplicity, even if
it involves more work up front. When you start using multiple GPOs with
conflicting settings or start using deny permissions it can make future
troubleshooting more difficult.
"Saucer Man" <saucerman@xxxxxxxxxx> wrote in message
news:Ga2dnbBPR8-oLMTfRVn-gg@xxxxxxxxxxxxxxx
>I though about this but it requires extra work. This will require someone
>to put every user in this new security group. There could be error here.
>If I use Domain Users, it is done for me automatically. Thanks for the
>sugesstion.
>
> --
>
> Thanks.
>
>
> "Simon Geary" <simon_geary@xxxxxxxxxxx> wrote in message
> news:%23pkC2jgPFHA.1528@xxxxxxxxxxxxxxxxxxxxxxx
>> Group Policy is applied in this order: Local Security policy, Site
>> policy, Domain policy, OU policy, child OU policy.
>>
>> Perhaps a better way to do what you want would be to use security
>> filtering. This might be easier to implement and requires having just the
>> one policy. Assuming all your users are in the same OU, you could do
>> this:
>>
>> 1. Create a new security group in the users OU and put all your user
>> accounts in it.
>> 2. Create a new GPO that has the IE lockdown settings, link it to the
>> users OU and use security filtering so that only the new security group
>> has the Read and Apply Group Policy permissions.
>> 3. Whenever you discover users you don't want the policy to apply to,
>> remove them from the new security group.
>>
>> "Saucer Man" <saucerman@xxxxxxxxxx> wrote in message
>> news:BO2dncX-9YtE9sTfRVn-qA@xxxxxxxxxxxxxxx
>>>I have two Group Policies. One of them locks IE and the other one
>>>doesn't. I want to apply the one that locks IE to the Domain User group
>>>that so initially, everyone's one is locked. Then as I discover who
>>>should not be unlocked, I want to add them to the Group Policy which does
>>>not lock IE. How do I set this up so that the unlock policy takes
>>>precedence over the locked one?
>>>
>>> --
>>>
>>> Thanks.
>>>
>>>
>>>
>>
>>
>
>
.
- Follow-Ups:
- Re: Group Policy Precedence
- From: Saucer Man
- Re: Group Policy Precedence
- References:
- Group Policy Precedence
- From: Saucer Man
- Re: Group Policy Precedence
- From: Simon Geary
- Re: Group Policy Precedence
- From: Saucer Man
- Group Policy Precedence
- Prev by Date: Re: Only pushing software to a certain OS
- Next by Date: Changing local administrator password through group policy
- Previous by thread: Re: Group Policy Precedence
- Next by thread: Re: Group Policy Precedence
- Index(es):
Relevant Pages
|
Loading
