Re: Software Restrictions
- From: "Kevin Wheeler" <kevin.wheeler@xxxxxxxxxx>
- Date: Tue, 10 Jan 2006 06:13:30 -0500
Thanks Herb, I'll give that a try. I'll let you know how it works out.
Kevin
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:eWqBY1ZFGHA.3176@xxxxxxxxxxxxxxxxxxxxxxx
> "Kevin Wheeler" <kevin_wheeler@xxxxxxxxxxx> wrote in message
> news:u61IM7YFGHA.3200@xxxxxxxxxxxxxxxxxxxxxxx
> >I want to implement 2 GPOs to restrict certain software. It is a Windows
> >2000 Domain with Windows 2000 Pro workstations.
>
>
> > The first policy will restrict about 10 applications and this policy
will
> > be applied to the Domain Users security group.
>
> Since policies must be LINKED to Sites, Domain, or OUs you
> would probably link such a policy to the DOMAIN and then
> FILTER it using the Group "Domain Users".
>
> But there is probably no reason not to just use Everyone unless
> you REALLY mean just domain users.
>
> This is basically going to apply to just about 'everyone' (who is
> a real user) anyway.
>
> But you CAN set it in the User section of the GPO and have it
> apply to (such) groups.
>
> > I created a second group called project users.
>
> Notice that policy for Domain Users (or everyone) is going to
> apply to "Project Users" by default (unless you deny them "Apply_Policy"
> permission.)
>
> > In the 1st GPO, project application is one of the restricted
applications.
> > The 2nd GPO will have the sames applications listed except Project, and
> > this GPO will be applied to the Project Users security group.
>
> You will have to set the permission on the first to DENY this group
> Apply, and ONLY grant this Group Apply on the 2nd.
>
> > In logic, this should work, however, when I added my test user to the
> > Project Users group, he couldn't access the any of the restricted
> > applications, by design, but he also couldn't acces the Project
> > application.
>
> Because he is a Domain User -- your starting premise was wrong
> and all of your logic was built on that: GPOs that apply to Domain
> Users also apply to pretty much everyone unless you deny that.
>
> > Can someone tell me what I'm doing wrong? Does it have something to do
> > with the test user being a member of both Domain Admins and Project
Users?
> > How can I get this to work?
>
> Yes. See above.
>
> 1st GPO: Allow Read & Apply for Domain Users
> Deny (Read &) Apply for Project Users
>
> 2nd GPO: Allow Read & Apply for Project Users
>
> It's a straight forward permission problem.
>
> But do notice that you have left out other problems, e.g.,
> Admins are also Domain Users.
>
> You might want a MORE SPECIFIC group for such policies or
> you must Deny admins apply to keep them from being locked out
> too.
>
> Think what is going to happen when the Admin tries to run any
> other program to FIX something.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
>
.
- References:
- Software Restrictions
- From: Kevin Wheeler
- Re: Software Restrictions
- From: Herb Martin
- Software Restrictions
- Prev by Date: Re: Number of DCs/GCs per location
- Next by Date: changing the local Administrator password
- Previous by thread: Re: Software Restrictions
- Next by thread: Re: Software Restrictions
- Index(es):
Relevant Pages
|
