Re: GP Based on Machine and User.
- From: "Kardon Coupé" <prefer.to@xxxxxxxxxxxxxxxxx>
- Date: Sat, 14 Apr 2007 00:19:32 +0100
Again, since the previous post, I've ended up creating the ADM, and the
denying group policies to the computers that I don't want it to happen, and
it worked?
This right?
"Kardon Coupé" <prefer.to@xxxxxxxxxxxxxxxxx> wrote in message
news:eGZfaOefHHA.596@xxxxxxxxxxxxxxxxxxxxxxx
Addendum to my last comment, I've just tried it on a Win2k Machine, and it
doesn't seem to work, does that OS operate differently that XP?
"Kardon Coupé" <prefer.to@xxxxxxxxxxxxxxxxx> wrote in message
news:OZRLbHefHHA.4636@xxxxxxxxxxxxxxxxxxxxxxx
Thank you for the walkthrough on this, it would appear it does work, I've
followed the steps, and tried loggin the user on on two machines (not the
same time though), and it
applies accordingly,
But there are other policies that have stopped applying? I had one for
example that stops things appearing down by the clock in the systray, but
that stuff is appearing again?
What I have done wrong? nothing to do with the choice of "Loopback"
settings
is it?
Regards
Paul
"Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx> wrote in message
news:E99B5D32-66D4-4046-A55E-9BE2539115B0@xxxxxxxxxxxxxxxx
A possible alternative approach.
From your first post, you have four computers with different drive
configurations.
1. Where you currently have one OU with all four computers in it, create
four child OUs and move one computer into each OU.
2. create four GPOs, one for each set of drives you want to block and
link
each GPO to the corresponding OU
3. create a fifth GPO that enables Loopback, link this GPO to the parent
OU
Thus, the OU hierarchy would look something like this:
OU for User Accounts - put all user accounts in this OU or child OUs
Parent OU for Computer child OUs
link the GPO enabling Loopback here
Do Not put any user accounts in this OU or any of its children
- Child OU containing computer account for type 1 computer
link the GPO that blocks the drives pertinent to type 1
- Child OU containing comptuer account for type 2
link the GPO that blocks the drives pertinent to type 2
- Child OU containing computer account for type 3
link the GPO that blocks the drives pertinent to type 3
- Child OU containing computer account for type 4 computer
link the GPO that blocks the drives pertinent to type 4
When a user logs on to one of these four computers,
- first, the User Configuration settings from any GPO that is linked to
or
inherited by the OU containing their user account are applied
- second, because Loopback processing is enabled, the User configuration
settings in the GPO that is linked to the OU containing the computer
account they are logging on to are applied
So, if a user logs on to computer type 1, the User Configuration setting
that blocks drives pertinent to computer type 1 will be applied to that
user.
If the same user logs on to computer type 2, the User Configuration
setting that blocks drives pertinent to computer type 2 will be applied
to
that user.
Note: you may want to NOT block drives for administrators. To do this:
a. select the GPO applied to the (computer specific) child OU in gpmc
b. select the Delegation tab
c. click Advanced...
d. click Add...
e. key the name of the domain group that has only the administrators'
user
accounts in it (or add individual user accounts - better to have a
group);
click OK
f. select the just added group (or user account)
g. in the bottom box, add a check mark in the "Deny" column for the
"Apply
Group Policy"
h. click OK
The same technique can be used for any User Configuration settings that
are to be used on a specific computer or set of computers.
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Kardon Coupé" <prefer.to@xxxxxxxxxxxxxxxxx> wrote in message
news:eJ2vkF8eHHA.2640@xxxxxxxxxxxxxxxxxxxxxxx
After reading, it appears that what it is saying to me is not what I
Loopback Processing is what you need.
http://support.microsoft.com/kb/231287
want
(unless I'm mis-reading it)
"This setting directs the system to apply the set of Group Policy
objects
for the computer to any user who logs on to a computer affected by this
setting. "
I'm reading this, if I apply a setting (I.e. drive blocking) no matter
who logs on, it blocks the drives?
I'm wanting the apply to happen to a user, no matter which machine he
logs onto, apply a relevant GP to it..
I.e...
1) Check which machine is being logged onto
2) Apply GPO for that machine only to block drives.
Or am I reading it completely wrong, and it can do what I want, but the
MS site is not very explanatory for people like myself..
Regards
Paul
.
- Follow-Ups:
- Re: GP Based on Machine and User.
- From: Bruce Sanderson
- Re: GP Based on Machine and User.
- References:
- GP Based on Machine and User.
- From: Kardon Coupé
- Re: GP Based on Machine and User.
- From: Mark Heitbrink [MVP]
- Re: GP Based on Machine and User.
- From: Kardon Coupé
- Re: GP Based on Machine and User.
- From: Bruce Sanderson
- Re: GP Based on Machine and User.
- From: Kardon Coupé
- Re: GP Based on Machine and User.
- From: Kardon Coupé
- GP Based on Machine and User.
- Prev by Date: Re: Logon failures reported by RSOP
- Next by Date: Re: Firewall program exceptions through GPOs
- Previous by thread: Re: GP Based on Machine and User.
- Next by thread: Re: GP Based on Machine and User.
- Index(es):
Relevant Pages
|
Loading
