mikcanavan
asked on
Group Policies for Dummies : Lock down 2 machines within 20 PC domain
We need to enforce a "no fun" policy on 2 machines which will control large CNC machines, but as I have never touched on Group Policies before - I have got a bit lost!
I was hoping that "Group" policies could be applied to for example a security group - but this does not seem to be the case?!? I have read a few articles - but it described 'simply' creating a new OU!
I don't need to lock it down to an FBI level, fool proof should be more than adequate eg. No control panel / no internet / no explore / no browsing... just the ability to run basic programs.
Organisation: One site / 18 clients (standard office users) / 2 Shopfloor clients (which need locking down) / Small Business Server 2003 - Pretty Standard setup / latest updates etc.
Can anyone guide me through this? TechSoEasy?
Thanks
I was hoping that "Group" policies could be applied to for example a security group - but this does not seem to be the case?!? I have read a few articles - but it described 'simply' creating a new OU!
I don't need to lock it down to an FBI level, fool proof should be more than adequate eg. No control panel / no internet / no explore / no browsing... just the ability to run basic programs.
Organisation: One site / 18 clients (standard office users) / 2 Shopfloor clients (which need locking down) / Small Business Server 2003 - Pretty Standard setup / latest updates etc.
Can anyone guide me through this? TechSoEasy?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have to say I would never use security filtering unless I had no other option - in my experience it causes all sorts of issues (not unlike using deny on NTFS permissions), as its not immedatly obvious which groups (if any) are being filtered. Where you CAN do it with OUs then USE OUs.
@KCTS: "in my experience it causes all sorts of issues" - could you name some? I never experienced issues with security filtering of GPOs, that's why I ask.
Maybe you just mean to say using sec. filtering makes it a little harder to see what systems/users GPOs get applied to - I would agree on that. Or were there any technical difficulties following up?
ASKER
@ Everyone... Thanks for the suggestions... First one worked like a charm.
@KCTS - Many thanks, just following the instructions as you laid them out I now have a much better grasp of how to setup GP.
@KCTS - Many thanks, just following the instructions as you laid them out I now have a much better grasp of how to setup GP.
Add those two computers to a security group. Apply your new GPO to a higher OU or the entire domain and restrict access to it using Security Filtering so that only that group has Read and Apply Group Policy permissions.
http://technet.microsoft.com/en-us/library/cc781988.aspx
Edit the local policy on each machine. This isn't the best choice as it means more work and documentation for you, especially if you want to change settings or lock down more machines later.