Solved

How do I apply computer settings via a group policy applied to user objects?

Posted on 2008-10-06
7
5,526 Views
Last Modified: 2012-05-05
How do I apply computer settings via a group policy applied to user objects?

What I'm trying to achieve:
A set of users need to be able to format USB drives etc on any computer they use while other users will not be able to.

What I've done:
Created a group policy with following setting:
Computer Configuration>Windows Settings>Security Settings>Local Policies/Security Options>Devices>Devices:Allowed to format and eject removable media.
I've set the scope to Authenticated Users and Domain Computers
This has been applied to the relevant Users OUs

What happens:
gpresult shows the policy is being read but it does not show up at all under Computer Settings, only User Settings, where it is marked as Not Applied (Empty)



0
Comment
Question by:Axonites
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
7 Comments
 

Author Comment

by:Axonites
ID: 22655935
http://technet.microsoft.com/en-us/library/cc782849.aspx
"GPO settings are divided between User Configuration, which holds settings that are applied to users when they log on, and Computer Configuration, which holds settings that are applied to computers when they start up (boot)."

Does that mean policies applied to users can never have effect on the computer as by the time the user logs in and initiates the policy, the computer has had it's policy applied already?
0
 
LVL 4

Accepted Solution

by:
lscapa earned 250 total points
ID: 22656313
Computer policies are only applied to computer objects while user policies are only applied to user objects. The exception is loopback processing which allows computer policy applied to users based on the location in AD of the computer instead. See: http://support.microsoft.com/kb/231287
 
0
 

Author Comment

by:Axonites
ID: 22656587
So if I want to enable/disable a Computer Configuration setting depending on which OU the user is in I'll have to use some other method than group policy?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Axonites
ID: 23369702
Alternately, can I use a custom .adm file to create a policy under the User Configuration folder that changes a registry key in HKLM?

If so how?

Here's what I have so far:


CLASS USER
 
CATEGORY !!FormatUSBandRM
 
	POLICY !!FormatUSB
		KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
 
		VALUENAME "allocatedasd"
                VALUEON 2 
		VALUEOFF 0
 
	END POLICY
 
END CATEGORY ; FormatUSBandRM
 
[strings]
FormatUSB="Allow Formatting of USB Devices and Removable Media."
FormatUSBandRM="Format USB and Removable Media"

Open in new window

0
 

Author Comment

by:Axonites
ID: 23370276
Grrr I think what I want to do might actually be impossible but it seems like such a simple thing I can't believe it would be impossible but it's driving me mental.

My custom ADM template to set who can/cannot format USB drives etc works a charm under the Machine class (yes I know there's a default option to do this in Local Policies > Security Options)
However I want to be able to have a different setting for different people who logon to the machine so I want to be able to write this for the User class so I can base the GP on the user, but the User class obviously puts everything into HKCU  

Code
CLASS Machine

CATEGORY !!categoryName

      POLICY !!policyName
      KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
            PART !!policy DROPDOWNLIST
                  VALUENAME "allocatedasd"
                  ITEMLIST
                        NAME "Administrators" VALUE 0
                        NAME "Administrators and Power Users" VALUE 1
                        NAME "Administrators and Interactive Users" VALUE 2
                  END ITEMLIST
            END PART
      END POLICY

END CATEGORY

[strings]
categoryName="Format Removable Media"
policyName="Format Removable Media"
policy="Select who should have the ability to format removable media. ie USB drives"


Any ideas?
0
 
LVL 5

Assisted Solution

by:Jaymz_R
Jaymz_R earned 250 total points
ID: 23370381
Howdy,

Heres a suggestion.  Not sure how it will go,

but start a new OU, add a "security group" to that OU.

add the users you wish to have the ability to format the usb.

add the custom adm to that OU and enforce it.

not sure if that will work, but windows logic says it should.


~Jaymz
0
 

Author Closing Comment

by:Axonites
ID: 31503680
Couldn't get your suggestion to work Jaymz.
Have gone had to just apply this to all computers to enable the setting as some users use multiple computers this is the only way I can ensure they won't be restricted.
Awarded the points equally to those who put the effort in to answer my question.
Cheers
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question