Re: Access Denied (Security Filtering)

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Scott <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Aug 2008 04:43:01 -0700

Hi Peter,

If I understand you correctly, I need to apply this to some users also? The
problem I have is that since the PCs I need to apply this to are lab PCs,
when the users go to their office PCs, I dont want that GPO to apply to them
as users there also.

If I put the authenticated users in the same group, is there a way to say
that if you are using this PC that you will get this policy, but if you are
not using this PC, you will not get the policy?

Thank you for your help.

Scott

"Peter Dickason, MCSE, CCA, CNE" wrote:

Hi Scott,

I think I see the issue. Even though the computer accounts are in the
group, the user will not be able to read the GPO even though you have
loopback enabled because you have no permissions applied to any users. If
you have no user accounts in the same OU as your workstations, and no other
loopbacks, you can give authenticated users the read and apply group policy,
otherwise you may need to put these in an OU of their own and apply the GPO
there. Let me know if that works.

Pete

Follow-Ups:
- Re: Access Denied (Security Filtering)
  - From: Peter Dickason, MCSE, CCA, CNE

References:
- Access Denied (Security Filtering)
  - From: Scott
- Re: Access Denied (Security Filtering)
  - From: Marcin
- Re: Access Denied (Security Filtering)
  - From: Scott
- Re: Access Denied (Security Filtering)
  - From: Peter Dickason, MCSE, CCA, CNE

Prev by Date: Re: After demoting a DC (sites and services)
Next by Date: Re: Problem with GROUP report - Domain Users ( more than 15 000 member
Previous by thread: Re: Access Denied (Security Filtering)
Next by thread: Re: Access Denied (Security Filtering)
Index(es):
- Date
- Thread

Relevant Pages

Re: Authenticated Users vs. Individual Users - Scope problem
... In order to be able to apply a policy, two things need to be given: ... In order to apply a computer configuration policy, the computer objects need to have "Read" and "Apply Group Policy" permissions on the GPO just like users would need those permissions on "user configuration" GPOs. ... The whole things worked with "Authenticated Users" because the "Domain Computers" group with all those computer accounts is member of "Authenticated Users". ...
(microsoft.public.windows.group_policy)
Re: Exclude from GPO ..
... Modify the DDP to include the policy I want to now use. ... the gpo you have just authenticated. ... computer accounts I need to. ...
(microsoft.public.windows.server.active_directory)
Re: Exclude from GPO ..
... Creating a new gpo means that another ... processed at logon time you can impact the logon time for your users (Or so ... Policy but to create a new GPO linked to the Domain level? ... computer accounts I need to. ...
(microsoft.public.windows.server.active_directory)
Re: Configure a Global Group to Be a Member of Local Administrator Gro
... that contains your computer accounts. ... that are not part of the policy are removed ... Use startup script (defined trough GPO) on your computers, ... This will add yourgroup to local Admin group on your PC. ...
(microsoft.public.win2000.active_directory)
Re: Exclude from GPO ..
... into the gpo you have just authenticated. ... This posting is provided "AS IS" with no warranties, ... Policy but to create a new GPO linked to the Domain level? ... computer accounts I need to. ...
(microsoft.public.windows.server.active_directory)