[gptalk] Re: Assistance

Thank you sir.  

I had another question if that would be alright?

Is it possible for a script or policy to do subsequent processing on an already 
restricted group?  

The goal is to allow non-admins to remote desktop to specific machines in an OU 
without having admin rights.

Respectfully,

Chris

----- Original Message -----
From: Darren Mar-Elia <darren@xxxxxxxxxx>
Date: Wednesday, December 20, 2006 11:02 am
Subject: [gptalk] Re: Assistance

> Chris-
> Welcome to the list. Because Restricted Groups policy, especially 
> the kind where you are replacing the total membership of a group, 
> does not merge, nor get undone if you block policy, the second 
> solution presented below if your best choice here. That is, in the 
> GPO linked to the OU where those computers exist, you would need 
> to create a new Restricted Groups policy for that Remote Desktop 
> Users group that includes all the groups defined in the domain 
> GPO, as well as the new one you wish to add.
> 
> Darren
> 
> 
> ************************
> Darren Mar-Elia
> For comprehensive Windows Group Policy Information, check out 
> www.gpoguy.com-- the best source for GPO FAQs, video training, 
> tools and whitepapers. Also check out the Windows Group Policy 
> Guide, the definitive resource for Group Policy information. 
> 
> Download the new GPHealth Reporter trial version at 
> http://www.sdmsoftware.com/products.php
> 
> 
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-
> bounce@xxxxxxxxxxxxx] On Behalf Of christopher.cozzalio@xxxxxxxxxxx
> Sent: Wednesday, December 20, 2006 9:58 AM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Assistance
> 
> Sirs/Ma'ams,
> 
> I'm new to the GPO arena and I've been tasked with the following 
> question.  I have attached the question and an earlier suggested 
> "fix". I was told the prescribed "fix" was incorrect. I'd be most 
> appreciative for any advice or suggestions available.  
> 
> The question:
> 
> In a lower OU from the root.  The intent is to apply a policy that 
> puts a security group in ?Remote Desktop Users? on all of the 
> computers in that OU.  The only hurdle is there is a policy 
> defined at the root level that puts J6 Administrators in that 
> group across the domain.
> 
> The problem is to apply the policy just to the lower level OU 
> without changing the top level policy.
> 
> The answer I was told was incorrect:
> 
> Block inheritance at that OU and apply your new GPO at that OU. 
> This will block all GPO's from above unless they are "enforced" 
> and only 
> apply your new GPO.
> 
> OR
> 
> Create the new GPO at the OU and set the restricted group policy 
> the way you want it.  Since it is at the OU it should override the 
> policy setting from the domain.
> 
> The OU was enforced. 
> 
> Cheers for anything you can provide.
> 
> Respectfully,
> 
> SGT Chris Cozzalio
> ***********************
> You can unsubscribe from gptalk by sending email to gptalk-
> request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR 
> by logging into the freelists.org Web interface. Archives for the 
> list are available at http://www.freelists.org/archives/gptalk/
> ************************
> 
> ***********************
> You can unsubscribe from gptalk by sending email to gptalk-
> request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR 
> by logging into the freelists.org Web interface. Archives for the 
> list are available at http://www.freelists.org/archives/gptalk/
> ************************
> 
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: