Re: group policy and roaming profiles

anonymous_at_discussions.microsoft.com
Date: 12/08/03 

Date: Mon, 8 Dec 2003 08:11:21 -0800

yes I am in a domain, a VERY broad domain. I am not a
domain admin, but a delegate ou admin. The organization
will not create a seperate ou just to apply a group policy
to solve this problem. as far as other offices are
concerned they just are not providing the service that we
are trying to provide. If I could apply a group policy to
a group I would be good, but not being able to go any
lower than an ou means that i need to find an alternate
method.
>-----Original Message-----
>Roaming profiles. So you are in a domain ?
>Why are you using local group policy instead of
>the more powerful and flexible GPO from AD ?
>
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"nate" <nathan.ripp@med.va.gov> wrote in message
>news:070c01c3bd95$843309e0$a301280a@phx.gbl...
>> OK.............heres the delima, I can make GP's work
just
>> fine, and I can get RP's to work just fine BUT I want
them
>> to work together as follows. We want to allow people
>> outside our agency to have access to several of our
PC's,
>> but they have to be completely locked down.........AND
any
>> of our users need to be able to come behind them and see
>> our normal desktop and have there normal access. I have
>> accomplished this by creating a local account,
configuring
>> a group policy on that machine, and only giving that
local
>> account permissions to the group policy directory. There
>> were a few more minor tweaks to make this work, but it
>> worked flawlessly. The problem is that when we create an
>> image of one of those desktops, the permissions change
as
>> well as the policies so there is some administration
left
>> to do on a freshly imaged machine. My boss does not like
>> that and wants something more easily manged. His idea is
>> to create a roaming profile for the users that we want
>> locked down (they would all share a common account).
Good
>> idea, but I can not find a way to lock down the desktop
>> like I want to. any ideas?
>>
>>
>
>
>.
>

Relevant Pages

  • Re: I need Ideas on securing a remote Win2k machine
    ... > * You can set security filtering on a group policy object. ... > * You can set a policy to run an application at logon (your kiosk app, ... Create a new Organizational Unit for the kiosk computers and move ... suggests that I need to get the domain admin to do a lot of this. ...
    (microsoft.public.win2000.security)
  • group policy and roaming profiles
    ... account permissions to the group policy directory. ... to do on a freshly imaged machine. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: SCW --> GPO
    ... we need the rights of Domain Admin or Group Policy Creator Owner ... check app event log & system event log to see if there is any GPO related ... Command completed with error. ...
    (microsoft.public.windows.group_policy)
  • Re: Security Breach in AD! Help!
    ... For example suppose an attacker knew that a domain admin used a particular ... compromise it he could put a simple script such as a logon script or logoff ... > I found the solution to the group policy refresh interval thing...sort of. ...
    (microsoft.public.win2000.security)
  • Re: Security Filtering does not work correctly in GPO
    ... Deny apply only. ... where the domain admin was logged on. ... the settings in the "User Group Policy" were gone. ... "Scope-Setting" in the Group Policy object. ...
    (microsoft.public.windows.server.active_directory)