Re: Exclude from GPO ..
- From: "Mike" <Mike@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 9 Feb 2006 08:49:32 -0800
Paul,
You are correct, I only put in the user accounts that should not have the
policy affect them. Not the entire domain. And yes the "Authenticated
Users" group is assigned with Read and Apply Group Policy ... sorry for the
oversite.
Mike
"Paul Bergson" wrote:
This setting has nothing to do with your workstations so you should remove.
the the computer accounts from the security group. When you said I put all
user accounts in the security group, I hope you mean only the accounts that
shouldn't have the policy applied. You must also have the security group
"Authenticated Users" read and apply policy on the policy. It sounds like
you forgot to add the "Authenticated Users" group.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Mike" <Mike@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A42B949C-8087-489B-8B12-A168B8ADAE35@xxxxxxxxxxxxxxxx
Morning everyone .. I tried as directed with no success. Here's my A/D
layout
Domain
Builtin OU's
Sites
State1
All Computers
All Servers
State2
All Computers
All Servers
State3
All Computers
All Servers
State4
All Computers
All Servers
Users
Here's what I've done, I created a Security Group and put all user
accounts
and computer accounts in it. I then created a new GPO with the settings I
need to password protect a screen saver to go off at 15 minutes. I then
added the new group and left the 'Read' permission as Allow and 'Apply
Group
Policy' as Deny.
I then ran gpupdate on the Root domain controller.
Then sure enough, 16 minutes later - the screen savers are on those
computers that were supposed to be excluded and the same goes for those
user
accounts.
What did I do wrong?
Mike
"Cary Shultz" wrote:
Paul,
No worries about 'Everyone'. I know how it is at night. Shoot, look at
when I do most of my posting.
And, you are correct. You do not want to have too many GPOs linked at
too
many different levels. I think that there was a discussion in here with
Ace
and JoeR (so, we should all find it and read it....because when those two
guys starting talking we all really need to listen!). Anyway, I am
pretty
sure that Microsoft has gone away from the early stance of "create a GPO
for
each thing that you need" to "create two GPOs: one that affects the user
side and one that affects the computer side". I heard that on one of the
many webcasts that I have been watching.
--
Cary W. Shultz
Roanoke, VA 24012
"Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:Ok2iJx%23KGHA.744@xxxxxxxxxxxxxxxxxxxxxxx
Should it be the Authenticated Users? Yeah I was heading to bed and
was
typing to fast. Any impact with Everyone? Probably zero, since to get
into the gpo you have just authenticated. Creating a new gpo means
that
another process has to be run. You start creating multiple gpo's that
have
to be processed at logon time you can impact the logon time for your
users
(Or so I have been told).
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Cary Shultz" <cwshultz@xxxxxxxx> wrote in message
news:eJoNXx6KGHA.208@xxxxxxxxxxxxxxxxxxxxxxx
Morning, Paul!
Quick question: should it be the 'Everyone' group or the
'Authenticated
Users' group? And, when denying access this way one could 'allow' the
READ but specially 'deny' the APPLY GPO. Not sure what purpose this
would have but I remember some really smart people in the WIN2000
Group
Policy news group suggesting this.
Also, is it not a smart idea to not include this in the Default Domain
Policy but to create a new GPO linked to the Domain level? Or,
possibly
to an other OU? We do not know what his set up is......This is what I
would probably do. I would tend to think that it might be a good idea
to
leave the DDP and the DDCP alone....If you have to restore them via
those
nifty little utilities you have lost everything other than the factory
defaults. Or, am I wrong on this?
--
Cary W. Shultz
Roanoke, VA 24012
"Paul Bergson" <pbergson@xxxxxxxxxx> wrote in message
news:%23%23Ck7b5KGHA.3836@xxxxxxxxxxxxxxxxxxxxxxx
Create the gpo and give the everyone group the read and apply.
Create a
group of users that don't need it applied and add this group to the
gpo
and deny them the right to read or apply the gpo.
http://support.microsoft.com/?kbid=322176
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Mike" <Mike@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A9196C81-F822-41EF-8C70-C9DDB709FE97@xxxxxxxxxxxxxxxx
Hello everyone.
I'm having a tough time figuring this out. I need to be able to
enable
a
password protected screen saver to apply to the entire domain with
the
exception of a few user accounts and a couple of computer accounts
and
cannot
get it functioning properlly.
I can setup the Default Domain Policy to enable the protected screen
saver,
but for the life of me cannot figure out how to exclude the user
accounts and
computer accounts I need to.
Any help is greatful!
Thanks,
Mike
- Follow-Ups:
- Re: Exclude from GPO ..
- From: Paul Bergson
- Re: Exclude from GPO ..
- References:
- Re: Exclude from GPO ..
- From: Paul Bergson
- Re: Exclude from GPO ..
- From: Cary Shultz
- Re: Exclude from GPO ..
- From: Paul Bergson
- Re: Exclude from GPO ..
- From: Cary Shultz
- Re: Exclude from GPO ..
- From: Mike
- Re: Exclude from GPO ..
- From: Paul Bergson
- Re: Exclude from GPO ..
- Prev by Date: Re: ADAM - Domain Service Account V.S. Network Service
- Next by Date: Demote a DC
- Previous by thread: Re: Exclude from GPO ..
- Next by thread: Re: Exclude from GPO ..
- Index(es):
Relevant Pages
|
Loading
