Re: Exclude from GPO ..
- From: "Cary Shultz" <cwshultz@xxxxxxxx>
- Date: Tue, 7 Feb 2006 16:55:53 -0500
Paul,
No worries about 'Everyone'. I know how it is at night. Shoot, look at
when I do most of my posting.
And, you are correct. You do not want to have too many GPOs linked at too
many different levels. I think that there was a discussion in here with Ace
and JoeR (so, we should all find it and read it....because when those two
guys starting talking we all really need to listen!). Anyway, I am pretty
sure that Microsoft has gone away from the early stance of "create a GPO for
each thing that you need" to "create two GPOs: one that affects the user
side and one that affects the computer side". I heard that on one of the
many webcasts that I have been watching.
--
Cary W. Shultz
Roanoke, VA 24012
"Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:Ok2iJx%23KGHA.744@xxxxxxxxxxxxxxxxxxxxxxx
Should it be the Authenticated Users? Yeah I was heading to bed and was
typing to fast. Any impact with Everyone? Probably zero, since to get
into the gpo you have just authenticated. Creating a new gpo means that
another process has to be run. You start creating multiple gpo's that have
to be processed at logon time you can impact the logon time for your users
(Or so I have been told).
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Cary Shultz" <cwshultz@xxxxxxxx> wrote in message
news:eJoNXx6KGHA.208@xxxxxxxxxxxxxxxxxxxxxxx
Morning, Paul!
Quick question: should it be the 'Everyone' group or the 'Authenticated
Users' group? And, when denying access this way one could 'allow' the
READ but specially 'deny' the APPLY GPO. Not sure what purpose this
would have but I remember some really smart people in the WIN2000 Group
Policy news group suggesting this.
Also, is it not a smart idea to not include this in the Default Domain
Policy but to create a new GPO linked to the Domain level? Or, possibly
to an other OU? We do not know what his set up is......This is what I
would probably do. I would tend to think that it might be a good idea to
leave the DDP and the DDCP alone....If you have to restore them via those
nifty little utilities you have lost everything other than the factory
defaults. Or, am I wrong on this?
--
Cary W. Shultz
Roanoke, VA 24012
"Paul Bergson" <pbergson@xxxxxxxxxx> wrote in message
news:%23%23Ck7b5KGHA.3836@xxxxxxxxxxxxxxxxxxxxxxx
Create the gpo and give the everyone group the read and apply. Create a
group of users that don't need it applied and add this group to the gpo
and deny them the right to read or apply the gpo.
http://support.microsoft.com/?kbid=322176
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Mike" <Mike@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A9196C81-F822-41EF-8C70-C9DDB709FE97@xxxxxxxxxxxxxxxx
Hello everyone.
I'm having a tough time figuring this out. I need to be able to enable
a
password protected screen saver to apply to the entire domain with the
exception of a few user accounts and a couple of computer accounts and
cannot
get it functioning properlly.
I can setup the Default Domain Policy to enable the protected screen
saver,
but for the life of me cannot figure out how to exclude the user
accounts and
computer accounts I need to.
Any help is greatful!
Thanks,
Mike
.
- Follow-Ups:
- Re: Exclude from GPO ..
- From: Mike
- Re: Exclude from GPO ..
- References:
- Re: Exclude from GPO ..
- From: Paul Bergson
- Re: Exclude from GPO ..
- From: Cary Shultz
- Re: Exclude from GPO ..
- From: Paul Bergson
- Re: Exclude from GPO ..
- Prev by Date: Re: Add new DC - [WildPacket]
- Next by Date: Re: Forward emails of disabled users to a group of users
- Previous by thread: Re: Exclude from GPO ..
- Next by thread: Re: Exclude from GPO ..
- Index(es):
Relevant Pages
|
