Re: Best Way to Block user or computer from receiving GP

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

---

• From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
• Date: Fri, 13 Apr 2007 23:10:26 -0700

---

I always recommend avoiding use of Deny, but do also
recognize that its use does have a place (just one that
should be used as a last resort).

Use of security group filtering (including Deny) leads to
an opaque policy structure in that just looking at the GPOs
as they adorn the OU structure does not carry a full sense
of what is happening how/to whom/where - and so one
gets force to using resultant policy views more often.

On the other hand, one should want to keep the OU tree from
becoming too deep, so there is a trade. Also, sometimes to
avoid security group filtering one would need to do a major
restructure of OUs (think of mobile devices - scatter them
throughout the device OU structure and use filtering, or mirror
the device OU structure under a second mobile device OU
structure).

One needs to learn to juggle. One thing I find important to
keep in mind is that the admins that use what is set up may
not have a complete view of how it was architected, and
in case have difficulty in visualizing what it effects. Hence
when juggling I tend to avoid constructs that make things, as
I term it, administratively opaque, and I consider that as
important as performance considerations because it can lead
to errors with major impact.

Roger

"River" <River@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B2B28AA4-CC62-43E2-8A94-FEB7B15943D4@xxxxxxxxxxxxxxxx

Is it better to have users grouped together in a single Departmental Ou
and
then use deny security to block a GP for a subset of users or is it better
to
put the subset of users in sub ou?

Example

Domain
Sales
Reps
- Group Policy 1
Team Leads
- Group Policy 2

OR

Domain
Sales
- Group Policy 1 (deny Team Leads)
- Group Policy 2 (deny Sales Reps)

Thank you in advance for your comments.

.

---

• Prev by Date: Re: GP Based on Machine and User.
• Next by Date: Re: Using group policy for WSUS
• Previous by thread: Re: Best Way to Block user or computer from receiving GP
• Next by thread: Re: Workaround Needed to Enable IE Advanced Settings with Restricted G
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Locking Down TS Sessions ... On the Security tab of the loopback "lockdown" GPO you can check the Deny ... "Apply Group Policy" for Domain Admins. ... to be running some other software that the Administrator will have to ... (microsoft.public.windows.terminal_services) Re: Group Policy - Locked myself out ... > 2) What is a Deny and how do I set one, ... >>Microsoft MVP ... >>> I set the Group Policy to lockout certain features (eg. ... >>> Control Panel, Snap-Ins, etc), and acidentally locked my ... (microsoft.public.windowsxp.security_admin) Re: Restrict users to only certain pcs ... The closest setting's configurable via group policy which would help you ... DenySeInteractiveLogonRight, also known as Deny Interactive Logon. ... (microsoft.public.win2000.active_directory) Re: Group Policy - Locked myself out ... All you need to do is set a Deny of Full for Administrators on ... Then, log off and back on as an admin, remove the Deny, and ... > I set the Group Policy to lockout certain features (eg. ... > Control Panel, Snap-Ins, etc), and acidentally locked my ... (microsoft.public.windowsxp.security_admin)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.group_policy  > 2007-04