Re: GPO and Group Policy
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Wed, 16 Apr 2008 19:31:10 -0500
"Ken" <Ken@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A90B3EC8-AE30-4A04-857B-EA234C180EC5@xxxxxxxxxxxxxxxx
Herb can you give me instructions on how to do this. Im talking like
really
simple instructions.
I don't know what you know and what you don't know unless you ask a
question.
There are plenty of explanations of setting Share and (separately) NTFS
Permissions in the Online Help.
Setting Special Permissions are not really any harder (after you do Standard
NTFS) but you go to the Advanced dialog, and click on the standard
permission
and then Edit it's Special Permissions. It's pretty self-explanatory once
you
know these three separate areas: Share, Standard NTFS, and Special
NTFS, or you can ask specific questions.
"Herb Martin" wrote:
"Ken" <Ken@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D4C3E9D2-E17D-4203-9793-52F6B2FE4AD1@xxxxxxxxxxxxxxxx
Hello,
I have a problem and i have looke all over the internet for a solution.
I
stumbled across this site and i am hoping to get some help so here
goes.
I want to make a policy that restricts users doing certain things such
as
acessing the control panel or task manager etc.. I create a new GPO and
finish all of my afjustments and tweaks to make it fit my needs.
Ok.
What i dont know is how to apply that GPO to a user or a group.
You cannot do that (precisely).
Right now
what i am trying to do is go to Users and Computer and then expand the
users
folder and apply it to a group i made but there is no Group Policy tab
there
so im stuck..
You can ONLY LINK a GPO to a 'container', either a Site, Domain, or OU.
So to link a GPO to a "set of Users" you must create an OU and place the
users (or computers) within that OU. If you already have the
users/computers
in an OU but ONLY wish it to affect some subset of the users then you can
create (multiple) child OUs and link GPOs differently to each of these
OUs.
I am a big newbie at this sort of thing so simple instructions would
help
out big time.
The ONLY way you can use Groups with Group Policy (yes we know it
the name makes no sense once you learn this) is by using PERMISSIONS
to differentially Grant or Deny GPO from applying to those user/computers
in the groups.
This is called FILTERING (when you use Group Permissions). Link the
GPO to an OU (or Domain/Site) as usual, but then remove the Permissions
for the Group(s) to which it should not apply.
The permission you care about on the GPO is "Apply Group Policy".
(User must have Apply Group Policy and Read for it to apply to them
but the one you use for this task is the Apply...)
You can either NEVER GRANT Apply Group Policy to the user who
should not be affected, or you can DENY it.
I like to avoid "Deny" permissions but frequently this is the only
practical
way to avoid application to Admins who typically start with Full Control
of the GPO (which includes the Apply).
.
- References:
- GPO and Group Policy
- From: Ken
- Re: GPO and Group Policy
- From: Herb Martin
- Re: GPO and Group Policy
- From: Ken
- GPO and Group Policy
- Prev by Date: Re: GPO and Group Policy
- Next by Date: Re: unlock user account
- Previous by thread: Re: GPO and Group Policy
- Next by thread: RE: GPO and Group Policy
- Index(es):
Relevant Pages
|
