Re: Help - with Policy
- From: "Nick" <nick@xxxxxxxxxx>
- Date: Thu, 25 Sep 2008 16:06:32 +0100
Hi Mark
It works! Thanks very much, your a Star!
As you recommended; I created two new Polices:
a.GPO Policy with only Loopback enabled and security settings (Authenticated
users) left as default.
b.GPO with settings to be applied. Removed Authenticated Users and replaced
with Security Group.
Policy was applied sucessfully to users in the Security Group.
A few quick questions:
1. It would be interesting to know how the corrupted policy worked in the
first place as this had a combination of loopback and user settings with
authenticated users. There must have been additional changes made in the
permissions so admins don't get the policy applied.
2. How do you change the link order. I started with the creating GPO user
settings and then created GPO loopback and noticed the link order. I didn't
know what effect the link order would make so I deleted both and started
again with creating the GPO loopback first.
3. We have an applications which changes frequently as more features and
options are added. How can I add a GPO to add entry in the users
Hkey_Current_User\Software\ACME\Another New Version
4. The GPO hides the Terminal Server /Citrix Drives but the GPO doesn't
prevent them access if they type the drive letter in Windows Explorer or
within an application when they do File > Open. Can you advise on drive
access prevention or utility that applies it to users.
Many thanks for staying with me and helping.
Kind regards
Nick
"Mark Heitbrink [MVP]" <spam-only@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23hRwLdnHJHA.1364@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Nick schrieb:
I've tried your suggestions below and the policy is not being applied to
me
or admins groups which is good but also to the
CitrixTerminalServerUserGroup
as advised.
Do you mean it is still not applying?
create a GPO with only Loopback enabled in it.
Link it to the terminalserver OU. Do not touch the security settings.
create a "TS GPO" with all your setting for the TSServergroup.
Edit the security settings:
- remove Auth.USers
- add TS Computer + TSServergroup
You say DENY is always winning could you explain,
No. Their is no explanation. It is a rule, defined by MS.
It ´s everywhere like that even in FileSystem. If you have full access
to a file and you deny read -> deny is winning.
In the end your permissions are a summary of all.
Imagine you are a member of all these groups:
read change full
Group1 x - -
Group2 x x -
Group3 - - -
Group4 x x x
---------------------------
= x x x
Result? You will have Full Access.
Change it like this:
read change full
Group1 deny - -
Group2 x x -
Group3 - - -
Group4 x x x
---------------------------
= deny
Deny is the "winning" setting.
when myself or admin groups neither have ALLOW or DENY
and still being applied.
... because your Admin is like every account a member of the Auth.Users.
Auth.Users are allowed to read and apply, so youself do not need to
have the permission, another group, where you are a member, has it.
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Discuss : www.freelists.org/list/gpupdate
.
- Follow-Ups:
- Re: Help - with Policy
- From: Mark Heitbrink [MVP]
- Re: Help - with Policy
- References:
- Help - with Policy
- From: Nick
- Re: Help - with Policy
- From: Mark Heitbrink [MVP]
- Re: Help - with Policy
- From: Nick
- Re: Help - with Policy
- From: Mark Heitbrink [MVP]
- Help - with Policy
- Prev by Date: RE: new extensions...
- Next by Date: Folder Redirection issue
- Previous by thread: Re: Help - with Policy
- Next by thread: Re: Help - with Policy
- Index(es):
Relevant Pages
|
