| Author | Messages | |
umery@xxxx.yyy
 | | 02/11/2006 12:26 PM |
| Hello All,
I was wondering if there is a way to have a user logon to the machine and
not have the computer policies applied to the machine if the user is part of
a certain group?
Say for example, I have defined a policy in computer configuration, disable
adding tasks to task scheduler, on an OU. All machines are located in the
OU. Domain admins do not have "read or apply group policy" rights to that
particular group policy. Authenticated users have "read or apply group
policy" rights.
Now, if a domain user logs on to the machiine, the computer policy is
applied to them, which is alright. But if a domain admin logs on, the
computer policy still applies.
I do understand that computer policy applies on the machine before msgina is
presented, but is there any way to condition it to revert the change when a
domain admin logs on?
Thanks in advance.
... you don't know what you've got 'till it's gone..
- Joni Mitchell
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001474
Posts:0
| | 02/11/2006 1:21 AM |
| You may want to change the policy processing preferences so that you need
the "User Group Policy loopback processing mode" policy configured.
You can find this policy under Computer Configuration\Administrative
Templates\System\Group Policy folder.
There will be two options: Replace and Merge.
Replace - The user settings in the computer's GPOs replace the user settings
applied to the user.
Merge - combine the user settings in computer's GPOs and User's GPOs. If
conflict, user settings in computer's GPOs take preference.
Hope this helps.
You should also consider changing the design of your Group Policy
infrastructure. You may want to take advantage of the flexibility of User
Configurations and Computer Configurations. You may design your GPOs to fit
your requirements.
Nuo Yan - MS MVP
University of Washington
http://msmvps.com/nuoyan
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Umer Y.
Sent: Friday, February 10, 2006 4:25 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Computer Policies based on User Logon?
Hello All,
I was wondering if there is a way to have a user logon to the machine and
not have the computer policies applied to the machine if the user is part of
a certain group?
Say for example, I have defined a policy in computer configuration, disable
adding tasks to task scheduler, on an OU. All machines are located in the
OU. Domain admins do not have "read or apply group policy" rights to that
particular group policy. Authenticated users have "read or apply group
policy" rights.
Now, if a domain user logs on to the machiine, the computer policy is
applied to them, which is alright. But if a domain admin logs on, the
computer policy still applies.
I do understand that computer policy applies on the machine before msgina is
presented, but is there any way to condition it to revert the change when a
domain admin logs on?
Thanks in advance.
... you don't know what you've got 'till it's gone..
- Joni Mitchell
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| umery@xxxx.yyy
| | 02/11/2006 2:23 AM |
| Thanks for responding Nuo. Loopback policy will merge/replace the logging on
user's "User Configuration" with its "User Configuration".
That is the opposite of what I am trying to achieve here. Is there way to
apply the logging on user's "Computer Configuration" over machines "Computer
Configuration" perhaps?
... you don't know what you've got 'till it's gone..
- Joni Mitchell
From: "Nuo Yan"
Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
To:
Subject: RE: [ActiveDir] Computer Policies based on User Logon?
Date: Fri, 10 Feb 2006 17:18:54 -0800
You may want to change the policy processing preferences so that you need
the "User Group Policy loopback processing mode" policy configured.
You can find this policy under Computer Configuration\Administrative
Templates\System\Group Policy folder.
There will be two options: Replace and Merge.
Replace - The user settings in the computer's GPOs replace the user settings
applied to the user.
Merge - combine the user settings in computer's GPOs and User's GPOs. If
conflict, user settings in computer's GPOs take preference.
Hope this helps.
You should also consider changing the design of your Group Policy
infrastructure. You may want to take advantage of the flexibility of User
Configurations and Computer Configurations. You may design your GPOs to fit
your requirements.
Nuo Yan - MS MVP
University of Washington
http://msmvps.com/nuoyan
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Umer Y.
Sent: Friday, February 10, 2006 4:25 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Computer Policies based on User Logon?
Hello All,
I was wondering if there is a way to have a user logon to the machine and
not have the computer policies applied to the machine if the user is part of
a certain group?
Say for example, I have defined a policy in computer configuration, disable
adding tasks to task scheduler, on an OU. All machines are located in the
OU. Domain admins do not have "read or apply group policy" rights to that
particular group policy. Authenticated users have "read or apply group
policy" rights.
Now, if a domain user logs on to the machiine, the computer policy is
applied to them, which is alright. But if a domain admin logs on, the
computer policy still applies.
I do understand that computer policy applies on the machine before msgina is
presented, but is there any way to condition it to revert the change when a
domain admin logs on?
Thanks in advance.
... you don't know what you've got 'till it's gone..
- Joni Mitchell
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| deji
Posts:262
| | 02/11/2006 2:30 AM |
| define your policies in the "User Configuration" and deny this user access to
the policies.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Umer Y.
Sent: Fri 2/10/2006 6:21 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Computer Policies based on User Logon?
Thanks for responding Nuo. Loopback policy will merge/replace the logging on
user's "User Configuration" with its "User Configuration".
That is the opposite of what I am trying to achieve here. Is there way to
apply the logging on user's "Computer Configuration" over machines "Computer
Configuration" perhaps?
... you don't know what you've got 'till it's gone..
- Joni Mitchell
From: "Nuo Yan"
Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
To:
Subject: RE: [ActiveDir] Computer Policies based on User Logon?
Date: Fri, 10 Feb 2006 17:18:54 -0800
You may want to change the policy processing preferences so that you need
the "User Group Policy loopback processing mode" policy configured.
You can find this policy under Computer Configuration\Administrative
Templates\System\Group Policy folder.
There will be two options: Replace and Merge.
Replace - The user settings in the computer's GPOs replace the user settings
applied to the user.
Merge - combine the user settings in computer's GPOs and User's GPOs. If
conflict, user settings in computer's GPOs take preference.
Hope this helps.
You should also consider changing the design of your Group Policy
infrastructure. You may want to take advantage of the flexibility of User
Configurations and Computer Configurations. You may design your GPOs to fit
your requirements.
Nuo Yan - MS MVP
University of Washington
http://msmvps.com/nuoyan
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Umer Y.
Sent: Friday, February 10, 2006 4:25 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Computer Policies based on User Logon?
Hello All,
I was wondering if there is a way to have a user logon to the machine and
not have the computer policies applied to the machine if the user is part of
a certain group?
Say for example, I have defined a policy in computer configuration, disable
adding tasks to task scheduler, on an OU. All machines are located in the
OU. Domain admins do not have "read or apply group policy" rights to that
particular group policy. Authenticated users have "read or apply group
policy" rights.
Now, if a domain user logs on to the machiine, the computer policy is
applied to them, which is alright. But if a domain admin logs on, the
computer policy still applies.
I do understand that computer policy applies on the machine before msgina is
presented, but is there any way to condition it to revert the change when a
domain admin logs on?
Thanks in advance.
... you don't know what you've got 'till it's gone..
- Joni Mitchell
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| umery@xxxx.yyy
| | 02/11/2006 2:56 AM |
| If it was user policies, then it wouldn't be a problem. But these are
settings in computer configuration which applies before the user logs on,
but instead I need them to apply based on the user who logs on.
Hope that simplifies my question.
... you don't know what you've got 'till it's gone..
- Joni Mitchell
From:
Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
To:
Subject: RE: [ActiveDir] Computer Policies based on User Logon?
Date: Fri, 10 Feb 2006 18:27:57 -0800
define your policies in the "User Configuration" and deny this user access
to
the policies.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Umer Y.
Sent: Fri 2/10/2006 6:21 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Computer Policies based on User Logon?
Thanks for responding Nuo. Loopback policy will merge/replace the logging on
user's "User Configuration" with its "User Configuration".
That is the opposite of what I am trying to achieve here. Is there way to
apply the logging on user's "Computer Configuration" over machines "Computer
Configuration" perhaps?
... you don't know what you've got 'till it's gone..
- Joni Mitchell
From: "Nuo Yan"
Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
To:
Subject: RE: [ActiveDir] Computer Policies based on User Logon?
Date: Fri, 10 Feb 2006 17:18:54 -0800
You may want to change the policy processing preferences so that you need
the "User Group Policy loopback processing mode" policy configured.
You can find this policy under Computer Configuration\Administrative
Templates\System\Group Policy folder.
There will be two options: Replace and Merge.
Replace - The user settings in the computer's GPOs replace the user settings
applied to the user.
Merge - combine the user settings in computer's GPOs and User's GPOs. If
conflict, user settings in computer's GPOs take preference.
Hope this helps.
You should also consider changing the design of your Group Policy
infrastructure. You may want to take advantage of the flexibility of User
Configurations and Computer Configurations. You may design your GPOs to fit
your requirements.
Nuo Yan - MS MVP
University of Washington
http://msmvps.com/nuoyan
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Umer Y.
Sent: Friday, February 10, 2006 4:25 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Computer Policies based on User Logon?
Hello All,
I was wondering if there is a way to have a user logon to the machine and
not have the computer policies applied to the machine if the user is part of
a certain group?
Say for example, I have defined a policy in computer configuration, disable
adding tasks to task scheduler, on an OU. All machines are located in the
OU. Domain admins do not have "read or apply group policy" rights to that
particular group policy. Authenticated users have "read or apply group
policy" rights.
Now, if a domain user logs on to the machiine, the computer policy is
applied to them, which is alright. But if a domain admin logs on, the
computer policy still applies.
I do understand that computer policy applies on the machine before msgina is
presented, but is there any way to condition it to revert the change when a
domain admin logs on?
Thanks in advance.
... you don't know what you've got 'till it's gone..
- Joni Mitchell
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| amulnick
Posts:163
| | 02/11/2006 5:35 AM |
| | Message body was not found. | | | |
| AD00000777
Posts:0
| | 02/16/2006 12:22 PM |
| Joni,
As you said, when the machine boots it gets the machine policy applied, and
you want to back it out when the User logs on, which is pretty much a tall
idea! I have never heard of such a function and to be honest would think it
to be "impossible", unless of course the machine could predict who was going
to logon... :-).
The closest I could think of doing it would be to fudge it. That is
(somehow) stop the machine policy applying at Machine boot up, then getting
the user to run the Machine policy via GPUPDATE target:machine when they
logon. Of course you then only have the option of not running the machine
policy when the Admin user logs on, which is different to "undoing the
policy settings that the previous user applied to the machine"
Can I ask why you would want to do this? You mention the case of "disable
adding tasks to task scheduler". I don't specifically know this policy, but
where is it and I would have guessed Microsoft would have given you an
equivalent User based policy to achieve what you want. One way that you may
be able to achieve what you want (just in this case) would be for the admin
to run a script at logon to delete the machine registry key that was created
by the machine policy. Of course it will come back when the machine policy
runs again.
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
----- Original Message -----
From: "Umer Y."
To:
Sent: Saturday, February 11, 2006 1:55 PM
Subject: RE: [ActiveDir] Computer Policies based on User Logon?
If it was user policies, then it wouldn't be a problem. But these are
settings in computer configuration which applies before the user logs on,
but instead I need them to apply based on the user who logs on.
Hope that simplifies my question.
... you don't know what you've got 'till it's gone..
- Joni Mitchell
From:
Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
To:
Subject: RE: [ActiveDir] Computer Policies based on User Logon?
Date: Fri, 10 Feb 2006 18:27:57 -0800
define your policies in the "User Configuration" and deny this user access
to
the policies.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Umer Y.
Sent: Fri 2/10/2006 6:21 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Computer Policies based on User Logon?
Thanks for responding Nuo. Loopback policy will merge/replace the logging
on
user's "User Configuration" with its "User Configuration".
That is the opposite of what I am trying to achieve here. Is there way to
apply the logging on user's "Computer Configuration" over machines
"Computer
Configuration" perhaps?
... you don't know what you've got 'till it's gone..
- Joni Mitchell
From: "Nuo Yan"
Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
To:
Subject: RE: [ActiveDir] Computer Policies based on User Logon?
Date: Fri, 10 Feb 2006 17:18:54 -0800
You may want to change the policy processing preferences so that you need
the "User Group Policy loopback processing mode" policy configured.
You can find this policy under Computer Configuration\Administrative
Templates\System\Group Policy folder.
There will be two options: Replace and Merge.
Replace - The user settings in the computer's GPOs replace the user
settings
applied to the user.
Merge - combine the user settings in computer's GPOs and User's GPOs. If
conflict, user settings in computer's GPOs take preference.
Hope this helps.
You should also consider changing the design of your Group Policy
infrastructure. You may want to take advantage of the flexibility of User
Configurations and Computer Configurations. You may design your GPOs to
fit
your requirements.
Nuo Yan - MS MVP
University of Washington
http://msmvps.com/nuoyan
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Umer Y.
Sent: Friday, February 10, 2006 4:25 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Computer Policies based on User Logon?
Hello All,
I was wondering if there is a way to have a user logon to the machine and
not have the computer policies applied to the machine if the user is part
of
a certain group?
Say for example, I have defined a policy in computer configuration,
disable
adding tasks to task scheduler, on an OU. All machines are located in the
OU. Domain admins do not have "read or apply group policy" rights to that
particular group policy. Authenticated users have "read or apply group
policy" rights.
Now, if a domain user logs on to the machiine, the computer policy is
applied to them, which is alright. But if a domain admin logs on, the
computer policy still applies.
I do understand that computer policy applies on the machine before msgina
is
presented, but is there any way to condition it to revert the change when
a
domain admin logs on?
Thanks in advance.
... you don't know what you've got 'till it's gone..
- Joni Mitchell
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001486
Posts:0
| | 02/17/2006 7:50 AM |
| Alan, I did look in the user configuration, and most of the settings
are available there as well.
Thanks for the help. :)
On 2/16/06, support@xxxxxxxxxxxxxx wrote:
> Joni,
>
> As you said, when the machine boots it gets the machine policy applied, and
> you want to back it out when the User logs on, which is pretty much a tall
> idea! I have never heard of such a function and to be honest would think it
> to be "impossible", unless of course the machine could predict who was going
> to logon... :-).
>
> The closest I could think of doing it would be to fudge it. That is
> (somehow) stop the machine policy applying at Machine boot up, then getting
> the user to run the Machine policy via GPUPDATE target:machine when they
> logon. Of course you then only have the option of not running the machine
> policy when the Admin user logs on, which is different to "undoing the
> policy settings that the previous user applied to the machine"
>
> Can I ask why you would want to do this? You mention the case of "disable
> adding tasks to task scheduler". I don't specifically know this policy, but
> where is it and I would have guessed Microsoft would have given you an
> equivalent User based policy to achieve what you want. One way that you may
> be able to achieve what you want (just in this case) would be for the admin
> to run a script at logon to delete the machine registry key that was created
> by the machine policy. Of course it will come back when the machine policy
> runs again.
>
> Alan Cuthbertson
>
>
> Policy Management Software:-
> http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
> ADM Template Editor:-
> http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
> Policy Log Reporter(Free)
> http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
>
>
>
> ----- Original Message -----
> From: "Umer Y."
> To:
> Sent: Saturday, February 11, 2006 1:55 PM
> Subject: RE: [ActiveDir] Computer Policies based on User Logon?
>
>
> > If it was user policies, then it wouldn't be a problem. But these are
> > settings in computer configuration which applies before the user logs on,
> > but instead I need them to apply based on the user who logs on.
> >
> > Hope that simplifies my question.
> >
> >
> >
> > ... you don't know what you've got 'till it's gone..
> >
> > - Joni Mitchell
> >
> >
> > From:
> > Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > To:
> > Subject: RE: [ActiveDir] Computer Policies based on User Logon?
> > Date: Fri, 10 Feb 2006 18:27:57 -0800
> >
> > define your policies in the "User Configuration" and deny this user access
> > to
> > the policies.
> >
> >
> > Sincerely,
> >
> > Dèjì Akómöláfé, MCSE+M MCSA+M MCT
> > Microsoft MVP - Directory Services
> > www.readymaids.com - we know IT
> > www.akomolafe.com
> > Do you now realize that Today is the Tomorrow you were worried about
> > Yesterday? -anon
> >
> > ________________________________
> >
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Umer Y.
> > Sent: Fri 2/10/2006 6:21 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] Computer Policies based on User Logon?
> >
> >
> >
> > Thanks for responding Nuo. Loopback policy will merge/replace the logging
> > on
> > user's "User Configuration" with its "User Configuration".
> >
> > That is the opposite of what I am trying to achieve here. Is there way to
> > apply the logging on user's "Computer Configuration" over machines
> > "Computer
> > Configuration" perhaps?
> >
> >
> >
> >
> > ... you don't know what you've got 'till it's gone..
> >
> > - Joni Mitchell
> >
> >
> > From: "Nuo Yan"
> > Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > To:
> > Subject: RE: [ActiveDir] Computer Policies based on User Logon?
> > Date: Fri, 10 Feb 2006 17:18:54 -0800
> >
> > You may want to change the policy processing preferences so that you need
> > the "User Group Policy loopback processing mode" policy configured.
> >
> > You can find this policy under Computer Configuration\Administrative
> > Templates\System\Group Policy folder.
> >
> > There will be two options: Replace and Merge.
> >
> > Replace - The user settings in the computer's GPOs replace the user
> > settings
> > applied to the user.
> >
> > Merge - combine the user settings in computer's GPOs and User's GPOs. If
> > conflict, user settings in computer's GPOs take preference.
> >
> > Hope this helps.
> >
> > You should also consider changing the design of your Group Policy
> > infrastructure. You may want to take advantage of the flexibility of User
> > Configurations and Computer Configurations. You may design your GPOs to
> > fit
> > your requirements.
> >
> > Nuo Yan - MS MVP
> > University of Washington
> > http://msmvps.com/nuoyan
> >
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Umer Y.
> > Sent: Friday, February 10, 2006 4:25 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] Computer Policies based on User Logon?
> >
> > Hello All,
> >
> > I was wondering if there is a way to have a user logon to the machine and
> > not have the computer policies applied to the machine if the user is part
> > of
> >
> > a certain group?
> >
> > Say for example, I have defined a policy in computer configuration,
> > disable
> > adding tasks to task scheduler, on an OU. All machines are located in the
> > OU. Domain admins do not have "read or apply group policy" rights to that
> > particular group policy. Authenticated users have "read or apply group
> > policy" rights.
> >
> > Now, if a domain user logs on to the machiine, the computer policy is
> > applied to them, which is alright. But if a domain admin logs on, the
> > computer policy still applies.
> >
> > I do understand that computer policy applies on the machine before msgina
> > is
> >
> > presented, but is there any way to condition it to revert the change when
> > a
> > domain admin logs on?
> >
> >
> > Thanks in advance.
> >
> >
> >
> >
> >
> >
> >
> > ... you don't know what you've got 'till it's gone..
> >
> > - Joni Mitchell
> >
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
--
"Ambition is a dream with a V8 engine." ~ Elvis Presley
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|