Re: GPO and Group Policy


"Ken" <Ken@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D4C3E9D2-E17D-4203-9793-52F6B2FE4AD1@xxxxxxxxxxxxxxxx
Hello,

I have a problem and i have looke all over the internet for a solution. I
stumbled across this site and i am hoping to get some help so here goes.

I want to make a policy that restricts users doing certain things such as
acessing the control panel or task manager etc.. I create a new GPO and
finish all of my afjustments and tweaks to make it fit my needs.

Ok.

What i dont know is how to apply that GPO to a user or a group.

You cannot do that (precisely).

Right now
what i am trying to do is go to Users and Computer and then expand the
users
folder and apply it to a group i made but there is no Group Policy tab
there
so im stuck..

You can ONLY LINK a GPO to a 'container', either a Site, Domain, or OU.

So to link a GPO to a "set of Users" you must create an OU and place the
users (or computers) within that OU. If you already have the
users/computers
in an OU but ONLY wish it to affect some subset of the users then you can
create (multiple) child OUs and link GPOs differently to each of these OUs.

I am a big newbie at this sort of thing so simple instructions would help
out big time.

The ONLY way you can use Groups with Group Policy (yes we know it
the name makes no sense once you learn this) is by using PERMISSIONS
to differentially Grant or Deny GPO from applying to those user/computers
in the groups.

This is called FILTERING (when you use Group Permissions). Link the
GPO to an OU (or Domain/Site) as usual, but then remove the Permissions
for the Group(s) to which it should not apply.

The permission you care about on the GPO is "Apply Group Policy".
(User must have Apply Group Policy and Read for it to apply to them
but the one you use for this task is the Apply...)

You can either NEVER GRANT Apply Group Policy to the user who
should not be affected, or you can DENY it.

I like to avoid "Deny" permissions but frequently this is the only practical
way to avoid application to Admins who typically start with Full Control
of the GPO (which includes the Apply).



.

Relevant Pages

  • Re: Help with GPO problem! PLEASE!!
    ... Can you create a new GPO?? ... If so use it to compare permissions to the two ... > Configuration information could not be read from the domain controller, ... Failed to open the Group Policy Object. ...
    (microsoft.public.windows.group_policy)
  • Re: GPO and Group Policy
    ... There are plenty of explanations of setting Share and NTFS ... Setting Special Permissions are not really any harder (after you do Standard ... You can ONLY LINK a GPO to a 'container', either a Site, Domain, or OU. ... The ONLY way you can use Groups with Group Policy (yes we know it ...
    (microsoft.public.windows.server.active_directory)
  • Re: Win2003 "cannot access the file gpt.ini"
    ... think a certain antivirus program messed the permissions up. ... fine, so we created a new blank GPO, then copied its gpt.ini back to the ... > I have installed Windows Server 2003 as a "first server on the network". ... > Windows cannot query for the list of Group Policy objects. ...
    (microsoft.public.windows.server.setup)
  • Re: LoopBack policy
    ... If you are familiar with the notion of security filtering of a GPO, then this is the same thing. ... Whereas normally, in order to process a GPO, a computer or user needs the Read and Apply Group Policy permissions, what you can also do is create an explicit Deny ACE on the GPO that you are implementing the loopback user settings with. ...
    (microsoft.public.windows.group_policy)
  • Re: GPO and Group Policy
    ... Herb can you give me instructions on how to do this. ... You can ONLY LINK a GPO to a 'container', either a Site, Domain, or OU. ... The ONLY way you can use Groups with Group Policy (yes we know it ... This is called FILTERING (when you use Group Permissions). ...
    (microsoft.public.windows.server.active_directory)