[gptalk] Re: Apply GPO to Computers Only

  • From: "Buonora, Craig \(GE, Research, consultant\)" <buonora@xxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 12 Dec 2006 12:30:11 -0500

I am setting the policy on a Computer OU, and only have it apply to 5
machines, regardless of who logs into them, but only 5 specified
machines, not any of the 3000 in the same OU.

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, December 12, 2006 12:14 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Apply GPO to Computers Only



It depends upon your goal. In either case, if you've got a per-user
admin. Template policy in the loopback GPO, that one will take
precedence over the user's "normal" user policy settings.

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Buonora, Craig (GE, Research, consultant)
Sent: Tuesday, December 12, 2006 9:12 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Apply GPO to Computers Only

 

Thought that is what I did but, what type of loopback, merge or replace.


 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, December 12, 2006 12:05 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Apply GPO to Computers Only

Ok. You have a single GPO that both enables loopback on the computer
side, and removes the map network drive option on the user side. Let's
say you want that to apply to 5 computers that all users logon to. Let's
say those 5 computers are part of the "Special Computers" Group. On the
permissions for the GPO, you would first remove the Authenticated Users
permission, then you would add Special Computers with read and apply
group policy, and Domain Users with read and apply group policy. If you
wanted to have the user policy only apply to a subset of users that
logon to one of those 5 machines, then you would, instead of using
Domain Users on that GPO, use a group that includes those subset of
users.

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Buonora, Craig (GE, Research, consultant)
Sent: Tuesday, December 12, 2006 8:58 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Apply GPO to Computers Only

 

Sorry, thought you were referring to remove the Map Network drive
function was only in Computer Configuration. Are you saying create
another GPO to set loopback? I was setting loopbackmto Merge within the
same policy as my Map Network Drive removal setting and it does not
work. If I add Domain Users to Read and Apply, and add the machines I
want to apply it to, it applies to all machines I log in to. What am I
missing?

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, December 12, 2006 11:47 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Apply GPO to Computers Only

Maybe we are talking about different things. To enable loopback, there
is only one place you can do that, under Computer Configuration\Admin
Templates\System\Group Policy\User Group Policy Loopback Processing mode

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Buonora, Craig (GE, Research, consultant)
Sent: Tuesday, December 12, 2006 8:40 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Apply GPO to Computers Only

 

I only found that option under User Configuration, where under Computer
is it?

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, December 12, 2006 11:28 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Apply GPO to Computers Only

The GPO that enables the loopback setting needs to be linked to
computers because it's a Computer Configuration option. That will enable
loopback on those computers. If you on that same GPO, you also set the
user configuration options you want, then that GPO has to be
permissioned such that the users you want to read it, can.

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Buonora, Craig (GE, Research, consultant)
Sent: Tuesday, December 12, 2006 8:23 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Apply GPO to Computers Only

 

Sorry I was a little confused on that. I added Domain Users to the
policy to Read and Apply, although I only want this to apply to 5
machines. What loopback option are you saying to choose and does it
matter what OU I link this on, Users or Computers?

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Monday, December 11, 2006 4:08 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Apply GPO to Computers Only

Yes. Its just a matter of using your security filters correctly. Your
loopback GPO needs to grant only the computers and users who you want to
process this policy, the read an apply gp rights, and no others.

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Buonora, Craig (GE, Research, consultant)
Sent: Monday, December 11, 2006 12:04 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Apply GPO to Computers Only

 

Darren thanks for the response, this GPO is to prevent users from
mapping drives. What I need to configure is to prevent any user that
logs on to a group of 5 machines [except 1 or two admins] from
right-clicknig on My Computer - Map Network Drive. Just 5 machines, not
the entrie Domain and I do NOT want to create a seperate OU for this.
Can this be done?

 

Thanks,

 

Craig

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, December 08, 2006 10:49 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Apply GPO to Computers Only

So you have a GPO that contains some logon script and sets loopback? I
suspect the problem is that you've removed authenticated users, added
the computer accounts, which is fine, but no users can read the user
portion of the loopback GPO when they logon. You might try granting Read
and Apply GP to the "Domain Users" group. That allows users to  read the
GPO but not other computers. 


Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Buonora, Craig (GE, Research, consultant)
Sent: Thursday, December 07, 2006 12:59 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Apply GPO to Computers Only

 

I had another issue come up where I need to apply a User configuration
item [remove map network drive] to about 6 computers in my Domain. I
created the GPO, remove the Authenticated Users element from the
delegation - Advance tab, and added my machine names, and click Read and
apply for the permissions to each. I also included Loopback Processing
to Merge with this, I used merge and replace. I cannot get this policy
to apply. This needs to be set on 6 machines that are used by the public
and I do not want to do this locally as I would like to exclude
eventually some NT accounts from the policy so they can log on and do
some admin functionality that involves mapping drives.

 

Thank again in advance for the help.

 

Craig M. Buonora

GE Global Research Center

CompuCom Systems, Inc.

Network Services Engineer II

 

T 518.387.6664

F 518.387.7427

D *833-6664

E buonora@xxxxxxxxxxxxxxx

 

One Research Circle

Building KW Room C153

Niskayuna, New York 12309

www.ge.com <http://www.ge.com/> 

 

Other related posts: