RE: GPO for CTX Servers

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: "Pierre the French" <PierretheFrench@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 14 Feb 2006 00:52:27 -0800

hi

first question i thinks it's ok BUT
if you have several Policies, you need read acces for the policy wich should
apply
and SET DENY right fot the policy which should not be applied.
If i can remember it is good to use deny because if you are several policies
applied on the same OU, it can take a long time to process all the policies
(if you not using the deny you will have "fun" with playing the priority
order of the applying policies)

2e question : i only remember that default is authenticated users (the
computer object belongs too), but im not sure
fot me im using and it works
authenticated users
domaincontroller of organisation
system

als default rights for a new policy
then i add
Admins with deny right in order to stay "free"
(One tip, put Deny right but put read/write right too, if not as admin you
couldn't not edit any more the policy ;-] )
so i add ONLY Deny for people wich not receive the policy
each policy have authenticated users with read right

"Simon McDermott" wrote:

Right let me try and explain this one......

Business Requirement - some users are permitted to have windows search
function and all the rest aren't.

So my implementation is:

An OU with 10 Ctx Servers and linked to it are two GPOs - GPO1(no seaching)
and GPO2, which was copied from GPO1 and then permits searching. Loopback
processing with Replace is enabled in both GPOS

Then there are groups which filter the policy to the relevant security
groups that should get either policy. GRP = GPO1 (read and apply) etc

First question - is this the correct approach?

Second question - i remember reading somewhere that the computer object for
the citrix servers should be added to the security properties of the GPO -
does anyone kno why?

S

References:
- GPO for CTX Servers
  - From: Simon McDermott

Prev by Date: Only 5 Clients can connect to our TS
Next by Date: Optimizing VM size
Previous by thread: GPO for CTX Servers
Next by thread: Remote Printer Problems
Index(es):
- Date
- Thread

Relevant Pages

local security policy
... Did you define those 'deny' policies on the 'Default ... Domain Policy' instead of the 'Default Domain controller ...
(microsoft.public.windowsxp.security_admin)
Re: hiding contacts from directory search (LDAP)
... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... policy and denying that right on the policy. ... the majority that I want to deny makes up about 80-90%. ...
(microsoft.public.windows.server.active_directory)
Re: Loopback Processing and Deny Apply in ACL
... The actual group policy is being applied to the user logon, ... If you Apply the policy to a user then Deny ... >> for the terminal server (which is in it's own OU, ... >> setting the deny apply gpo setting in the acl to the user account of this ...
(microsoft.public.win2000.group_policy)
Re: Linux IPChains Question
... At the moment I haven't set NAT up, ... ipchains -P forward DENY ... >>I suggest adding an explicit DENY and log rule at the end. ... With iptables, if you set the forwarding policy to drop, you ...
(comp.security.firewalls)
Re: cannot logon locally
... For a machine in a domain use a GPO that will apply ... >>equivalent) and then set a deny of full control for the ... >>local policy to remove the obstructing setting. ... >>> not let me logon locally. ...
(microsoft.public.windows.group_policy)