Re: Active directory Group Policy (Win2k)
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Mon, 22 Jan 2007 08:17:56 -0700
"Bogwitch" <Bogwitch@xxxxxxxxxxxxxxxxxxx> wrote in message
news:45b489c0$0$24371$88260bb3@xxxxxxxxxxxxxxxxxxxx
Roger,
Thanks for the pointer, that is obviously the way to go forward. However,
the mechanics of it are a little 'peculiar' I will cite some examples.
When I enforce the policy onto the computers in the new OU, it breaks some
of the common security settings (e.g. it drops the logon banner, it no
longer clears the last username)
You probably should use the resultant set of policy capability in
the GPMC in order to see what GPO is causing this, or more likely
what GPO no longer has the computers in its scope and so is no
longer applying those policy settings after the computers were
moved.
Additionally, the settings are now forced onto users that are NOT in the
restricted user group, i.e. Domain Admins so the Domain Admins cannot view
the 'C' drive, cannot run a command prompt.
Where did a restricted group come into it?
I indicated a way to impact all accounts logging into the machines
with Office, which it sounded like you wanted to have happen.
If you only want some accounts impacted by the loopback policy
then you need to change the security group filtering so that the GPO
applices to Domain Computers (or a custom group of the computers
in the OU) and to only the accounts that should be impacted.
It appears you might want to grant read/apply to Domain Computers
and Domain Users (assuming members of Domain Admins are NOT
members of Domain Users), and also grant read (but not apply) to
Domain Admins.
I appreciate that I am new to this particular aspect of GPOs and it may beMS has a lot of info on the use of GP, mostly indexed via
a stteper learning curve than I expected. Do you have any pointers to a
useful resource online that covers implementation, rather than one that
just states how to enable loopback processing?
www.microsoft.com/gp
Roger Abell [MVP] wrote:
You should research the use of "loopback processing" and
consider using this for a GPO linked to the OU holding the
Office capable machines, which same GPO could be left
at the default security group filtering (i.e. Authenticated
Users) so that it would affect any users logging into the
Office enabled machines.
"Bogwitch" <Bogwitch@xxxxxxxxxxxxxxxxxxx> wrote in message
news:45ae151e$0$4755$88260bb3@xxxxxxxxxxxxxxxxxxxx
All,
We have a strong AD GP enforced, removing all common items from the
users desktop and start menu.
We have a requirement to allow users, when logged on to certain
workstations, to access Microsoft Office. Office is NOT installed on the
other workstations.
We can give users access to the menu items by removing the group policy
but this then gives all users greater access than required on other
workstations.
I have created a new container for the Office loaded workstations but
the users will be picking up group policy from the Users container as
these users are free to log on to whatever workstation they please but
are restricted to using office on only a few.
Is there a setting within Group Policy Manager that I can set that will
allow access to a few shortcuts for Office apps without compromising the
security of the systems in use?
TIA,
Bogwitch.
--
Posted via a free Usenet account from http://www.teranews.com
--
Posted via a free Usenet account from http://www.teranews.com
.
- References:
- Active directory Group Policy (Win2k)
- From: Bogwitch
- Re: Active directory Group Policy (Win2k)
- From: Roger Abell [MVP]
- Re: Active directory Group Policy (Win2k)
- From: Bogwitch
- Active directory Group Policy (Win2k)
- Prev by Date: Re: Firewalls
- Next by Date: SSL & IE 6
- Previous by thread: Re: Active directory Group Policy (Win2k)
- Next by thread: Which process made which socket?
- Index(es):
Relevant Pages
|
