Re: exempt a machine from a group policy
- From: "Will" <westes-usc@xxxxxxxxxxxxxx>
- Date: Mon, 1 Sep 2008 12:56:52 -0700
The computer name in an ACL normally only gets used when there is an attempt
to use an object by one of the "SYSTEM" accounts on a computer. So for
example if you schedule a backup on a computer to a file server, the ACL for
the destination folder on the file server would need to explicitly or
implicity authorize Modify access by the machine account. In your case,
the script is NOT executed *by* a machine. It is executed by a user who
happens to be *on* that machine. But the authentication will be seen as
coming from the user, not the machine. Microsoft's ACL mechanism lacks
the level of sophistication of specifying a user account conditioned by a
location. The user is authorized or not authorized, and the location from
which the request comes isn't part of the ACL.
You could isolate the machine into an organizational unit and not apply the
login script GPO to that OU. You could also simply program around the
machine name in the script itself, as already suggested.
--
Will
"Agostino" <sclauzero@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23QSVs%23FDJHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
Thanks.
But where is the error with my approach?
I don't understand why the "machine deny policy" is ignored.
What is the moment the policies are evaluated? While a user is logging in
the machine knows its own name!
Feel quite confused about all this gpo stuff works.
thanks!
Agostino
"Florian Frommherz [MVP]" <florian@xxxxxxxxxxxxxxxxxxxxxxxxxx> ha scritto
nel messaggio news:OQkaowFDJHA.4696@xxxxxxxxxxxxxxxxxxxxxxx
Howdie!
Agostino wrote:
I've a domain with several gp linked to objects.
I want a new login script, so i created a new gp.
I want this login script to apply to all users, all machines BUT one.
I added the machine account to the "delegation" for this policy, then
Denied the apply of it.
But it still applies on my machine.
What am I missing?
Since it's a (user) logon script, the user would be the one you need to
deny the read permissions. Since you can't enumerate all users logging on
to that machine, I'd check in the logon script for the machine name.
if %computername% == "comp1" goto end
command
command
command
:end
cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
.
- References:
- exempt a machine from a group policy
- From: Agostino
- Re: exempt a machine from a group policy
- From: Florian Frommherz [MVP]
- exempt a machine from a group policy
- Prev by Date: exempt a machine from a group policy
- Next by Date: Re: policy setting "Remove access to use all Windows Update features"
- Previous by thread: Re: exempt a machine from a group policy
- Index(es):
Relevant Pages
|
