[gptalk] Re: Applying GPO to a Local User Account

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 5 Sep 2008 06:56:04 -0700

Automating changes to the local GPO centrally can be done. Its ironic
because someone else was asking me about this for their 20,000 machine
environment just yesterday. Basically, you have two choices for making
automated changes to the local GPO. You can create the files you need ahead
of time on a single machine and write some scripts that can push those out
(and associated changes) to the local file system on all those remote
machines, or you can use a commercial solution, like the Scripting Toolkit
(www.sdmsoftware.com/group_policy_scripting). In either case, it is do-able.


Darren

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Matt Cross
Sent: Friday, September 05, 2008 6:50 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Applying GPO to a Local User Account

That's the other catch -- we will be deploying about 400 machines during 
the first wave and the overall project will have about 2000 machines.

Basically my team has been tasked to cram as much lockdown stuff in the 
GPO because there have been issues with the reg hacks that the image 
deployment group has been making; they also want to cut down the amount 
of time that a person spends getting a machine deployed.  These 
particular images are constantly changing due to revisions from 
development, so it's not like we can freeze an image -- we also can't 
freeze the project until an image is frozen.  See why I am pulling my 
hair out?

The closest I see to automating from the domain-based GPO is to put the 
registry changes in the GPO for that one user or running a script that 
automatically applies the registry updates.

Darren Mar-Elia wrote:
> You could use the local GPO for the local user account. It should apply
just
> fine. Populating the local GPO can be done remotely using gpeditor,
assuming
> you don't have to do it across many machines. If you do, then you can copy
> the various parts of the GP settings from the domain-based GPO to do this.
>
> Darren
>
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of Matt Cross
> Sent: Thursday, September 04, 2008 2:48 PM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Applying GPO to a Local User Account
>
> I am hoping to avoid the registry import method, but am prepared to deal 
> with it if it is the only way...
>
> The business case is that the local account is a fail-safe for when the 
> person is in the field and their cached domain account is not letting 
> them log in.  I have no control over changing this requirement, despite 
> my objections.  Since the person in the field could log in as either 
> account (although some features will be unavailable if not logged into 
> to cached domain account), the environment must be the same regardless 
> of the account.  A lot of the restrictions are located in the User side 
> of the GPO.
>
> Omar Droubi wrote:
>   
>> What exactly are you trying to accomplish/lockdown for that user?
>>
>> you may be able to get some benefit from GPO using the computer side of
>>     
> the house and you may also be able to restrict some settings using
mandatory
> user profiles.
>   
>> What is the business need for a local account opposed to a single domain
>>     
> account- is it a problem with an application that can only work with local
> accounts?
>   
>> Since many of the user group policy settings get applied in the registry-
>>     
> you may be able to get the GPO functionality to get imported with a
registry
> import script that runs when the user logs on._ just a thought.
>   
>> Omar Droubi
>> omar@xxxxxxxxxxxxxxxxxxxxx
>> 650-726-0300
>> ________________________________________
>> From: gptalk-bounce@xxxxxxxxxxxxx [gptalk-bounce@xxxxxxxxxxxxx] On Behalf
>>     
> Of Matt Cross [mrforklift@xxxxxxxxxxxxxxx]
>   
>> Sent: Thursday, September 04, 2008 02:30 PM
>> To: gptalk@xxxxxxxxxxxxx
>> Subject: [gptalk] Applying GPO to a Local User Account
>>
>> I have the following environment:
>>
>> Windows 2003 Forest
>> Windows XP SP3
>>
>> I have created a GPO to apply to a specific group in the domain and
>> removed Authenticated Users from the security filter.  The policy works
>> perfectly for any situation involving a domain account logging into the
>> XP client; however, only the Computer side of the GPO applies when
>> logging in with client-local account.
>>
>> There is a business need for the one local account to exist on the
>> client and have the same lockdowns applied.  Is there a way to apply the
>> GPO to a local account?
>>
>> --
>> Matt Cross, MCSE: Messaging
>> mailto:mrforklift@xxxxxxxxxxxxxxx
>>
>> ***********************
>> You can unsubscribe from gptalk by sending email to
>>     
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at http://www.freelists.org/archives/gptalk/
>
>   
>> ************************
>> ***********************
>> You can unsubscribe from gptalk by sending email to
>>     
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at http://www.freelists.org/archives/gptalk/
>
>   
>> ************************
>>
>>
>>   
>>     
>
>   

-- 
Matt Cross, MCSE: Messaging
mailto:mrforklift@xxxxxxxxxxxxxxx

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: