[gptalk] Re: Applying GPO to a Local User Account

  • From: Matt Cross <mrforklift@xxxxxxxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Fri, 05 Sep 2008 09:53:02 -0400

Actually the My Docs is being redirected to a folder that everyone has access to and saving to the desktop is locked out.


You are right -- Vista would accomplish many of the things I want, but they have not tested anything on Vista yet and that would set the project behind 2 months. I was brought in as a last-minute addition to this thing that has already been running for about 8-9 months...

Omar Droubi wrote:
Additionally in this situation- this local account would need elevated 
privileges as this user would most likely need to access files in the 
domain\user profile directory folder like the My Docs and/or desktop.

So in that scenario- it seems like this account would need to be a local admin 
and doing restrictions may be tough.

Sorry to not offer quick alternate solution- other than vista which can do this


One way I handle this for a few clients is that we have a secondary admin 
account but we only give out the pw when the client calls in with cached mode 
issues- so we can check the networking settings---- Also we ensure that we can 
initiate a VPN session for any user to allow the user to log on to the VPN 
before attempting the Windows logon (using the dial up networking checkbox and 
ensure that all VPN entries are defined for all users or for cisco VPN there is 
a check box to allow cisco VPN logon before windows logon)

The vpn thing works when the remote cached user has hit the 30 day mark for our 
forest- then they connect to vpn- logon to windows-reset the number of days for 
cached logon and they even get the latest GPOs downloaded (if we override the 
slow link detection where applicable)


Omar Droubi
omar@xxxxxxxxxxxxxxxxxxxxx
650-726-0300
________________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of 
Matt Cross [mrforklift@xxxxxxxxxxxxxxx]
Sent: Thursday, September 04, 2008 02:47 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Applying GPO to a Local User Account

I am hoping to avoid the registry import method, but am prepared to deal
with it if it is the only way...

The business case is that the local account is a fail-safe for when the
person is in the field and their cached domain account is not letting
them log in.  I have no control over changing this requirement, despite
my objections.  Since the person in the field could log in as either
account (although some features will be unavailable if not logged into
to cached domain account), the environment must be the same regardless
of the account.  A lot of the restrictions are located in the User side
of the GPO.

Omar Droubi wrote:
What exactly are you trying to accomplish/lockdown for that user?

you may be able to get some benefit from GPO using the computer side of the 
house and you may also be able to restrict some settings using mandatory user 
profiles.

What is the business need for a local account opposed to a single domain 
account- is it a problem with an application that can only work with local 
accounts?

Since many of the user group policy settings get applied in the registry- you 
may be able to get the GPO functionality to get imported with a registry import 
script that runs when the user logs on._ just a thought.


Omar Droubi
omar@xxxxxxxxxxxxxxxxxxxxx
650-726-0300
________________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of 
Matt Cross [mrforklift@xxxxxxxxxxxxxxx]
Sent: Thursday, September 04, 2008 02:30 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Applying GPO to a Local User Account

I have the following environment:

Windows 2003 Forest
Windows XP SP3

I have created a GPO to apply to a specific group in the domain and
removed Authenticated Users from the security filter.  The policy works
perfectly for any situation involving a domain account logging into the
XP client; however, only the Computer side of the GPO applies when
logging in with client-local account.

There is a business need for the one local account to exist on the
client and have the same lockdowns applied.  Is there a way to apply the
GPO to a local account?

--
Matt Cross, MCSE: Messaging
mailto:mrforklift@xxxxxxxxxxxxxxx

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************




--
Matt Cross, MCSE: Messaging
mailto:mrforklift@xxxxxxxxxxxxxxx

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************



--
Matt Cross, MCSE: Messaging
mailto:mrforklift@xxxxxxxxxxxxxxx

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: