Re: Group policy to apply only to some workstations

Another alternative is to leave the computers where they are, link the relevant GPO to that OU, and use security filtering to apply it only to the relevant client PCs. By default, GPOs are applied to "Authenticated Users," a security group that includes domain computers. What you'd do is to create your own security group containing the factory PCs, add it to the security for the GPO, and remove Authenticated Users. Offhand, I can't think of a reason why one or the other option would be preferable - security filtering is just another option.


"Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:OIRScTKpIHA.1164@xxxxxxxxxxxxxxxxxxxxxxx
Gregg Hill <bogus@xxxxxxxxxxx> wrote:
Hello!

I want to create a group policy to lock down a client's computers in
the factory, but not the ones in the office. I have a lock-down GPO
for terminal servers that works perfectly, but it is in an OU outside
of the normal SBS OU structure, i.e., it is directly under the
office.lan domain in ADUC.
I want all normal SBS GPO settings for "SBSComputers" to apply to
these workstations, and add the restricted GPO settings. I am
thinking that I can create a sub-container(?)

An OU (not a sub-anything)

such as "MyBusiness >
Computers > SBSComputers > Restricted Computers" and move the desired
computers to that sub-container.

Put it under MyBusiness\Computers, not under SBSComputers.

Note that any computer (not user) specific GPO settings applied at a higher level (e.g., the domain or MyBusiness or Computers will be applied.

Remember to always create your own GPOs - don't edit the defaults - and be very careful with what you do. You may want to implement loopback processing in the Restricted Computers GPO. Test first!

Am I even close to being on the right track? If not, would someone be
so kind as to throw the switch for me?

Thank you!

Gregg Hill




.

Relevant Pages

  • Re: Block Group Policy Settings Based on Group Membership
    ... Perhaps the issue here is that this security filtering means that, ... users and computers who are targeted by a GPO, ... Let's say I have a GPO linked to the ...
    (microsoft.public.win2000.group_policy)
  • Re: Help with Security Filtering
    ... Security Tab for the GPO itself. ... Is there a way to see the ACL in the GPO that they are being applied to ... the computers, besides just noticing the changes live. ... Filtering" tab with 7 of the Security Groups listed, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Folders
    ... >> I'm certainly not going to discount a book published by Microsoft ... >> replace the computers and users containers created by default and ... Passowords can only be set in a GPO at the ... Laptops ...
    (microsoft.public.windows.server.active_directory)
  • GPO Not Being Applied
    ... I have server 2003 environment and have created a GPO where I want certain ... I have have created security groups and added the computers in there, ... created the GPO and used security filtering so the GPO ...
    (microsoft.public.windows.server.active_directory)
  • Re: Exchange OWA 2003 Trusted Root Certificate
    ... Domain level GPO called Mail, ... Security to Apply, can I add the machines to the same User Group and then ... On the second method - just to clarify, if I already have my computers ... > that you want the Group Policy computer configuration to apply to. ...
    (microsoft.public.win2000.security)
Loading