Solved

Group Policy

Posted on 2008-10-27
10
204 Views
Last Modified: 2013-12-05
I have a domain where the shop managers in a domain and the junior staff are administrated.

The Shop Managers and junior staff belong to a security group called "SuburbNameShop" and also the Shop Managers belong to a second one called "shopManagers".
 
How would I enable Internet access for the shop managers and disable it for the junior staff?

Please be detailed. Thanks
Please be detailed. Thanks
Please be detailed. Thanks
0
Comment
Question by:crashitexchange
  • 5
  • 4
10 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 22811807
The first thing you need to know about group policies - is that they do not apply to groups!
Group policies actually apply to OUs not groups - while you can use security filtering its not recommended except where there is no other alternative.

You could create an OU to disable the internet at the domain level (that you apply to all users), by setting a non-existant proxy server, then create an OU called Shop Managers and more the Shop managers Accounts into the OU, then apply a group policy to remove the dummy proxy.

If you don't want to disbale internate access for all domain users then create an OU called SuburbShops and put all the user accounts for juniot staff in that, then create the GPO with the dummy proxy and apply it directly to the OU.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22811813
... see http://www.howtonetworking.com/Internet/restrictie11.htm
for details of the GPO settings
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22811951
I wish i could copy paste the solution from other sites - but i personally do not want to be a GURU of some thing written by some one else.

So, here are couple of links - which should make things crystal clear (it is as detailed as right click create new users)

1) http://www.howtonetworking.com/Internet/restrictie11.htm

2) http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23059014.html

3) http://technet.microsoft.com/en-us/magazine/cc160780.aspx

4) http://www.itnewsgroups.net/group/microsoft.public.windows.server.general/topic8080.aspx

5) http://www.theeldergeek.com/forum/index.php?showtopic=31368

If you still have problems understanding - please post your doubts and we would be glad to answer.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 70

Expert Comment

by:KCTS
ID: 22812312
>> I wish i could copy paste the solution from other sites - but i personally do not want to be a GURU of some thing written by some one else <<

Its perfectly acceptable to refer users to other sites - after all no point in re-inventing the wheel, what is not acceptable if to implictly critisie other users and then post the SAME link !

0
 
LVL 32

Expert Comment

by:nappy_d
ID: 22812543
You can apply GPO's to groups.  

I do this all the time.  The trick is to deny/allow read and/or apply security permissions to the viarous OU's to which you have applied the GPO.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22812783
As I stated earlier, Its NOT good practice to use security filtering like this on a routine basis , it can get very confusing and is almost always unnecessary, its a bit like using the DENY permission on a file or folder in that respect.

Extensive use of security filtering is almost always indicative of a badly thought out OU structure.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 22812805
To expand on what I mean create two GPO policies; one for shop admins and one for junior staff.

Policy 1 - let's call it my-shop-admins-corp
  • go to the security tab of the policy and add the group to which your shop admins belong
  • Go to the delegation tab and click on advanced
  • Click on advanced once again
  • deselect the check box "inherit permissions"
  • click on COPY
  • click on apply
  • Now remove the group authenticated users
Policy 2 - let's call it my-shop-jr_staff-corp
  • go to the security tab of the policy and add the group to which your shop admins belong
  • Go to the delegation tab and click on advanced
  • Click on advanced once again
  • deselect the check box "inherit permissions"
  • click on COPY
  • click on apply
  • Now remove the group authenticated users
  • open the GPO and browse to the following section
    • Users Config\Administrative Templates\System
  • Look for the setting "Don't Run Specified Applications"
    • Enable the policy
    • Add the Application iexplore.exe

0
 
LVL 32

Expert Comment

by:nappy_d
ID: 22812833
Let's agree to disagree, I have been using this on hundreds of computers in my domain for the past three years.  Yes it can become overwhelming if not documented.  But if the options weren't there to be used it would not be.


0
 
LVL 70

Expert Comment

by:KCTS
ID: 22812981
it IS bad practice - no doubt about that - it is designed to be used when there is no other realistic way of achiving the desired results - again I would compare it to using the DENY option in permissions.

Yes its there to be used - but it needs to be used in the correct context, If you apply all policies at the domain and then use security filtering it is very inefficient and difficult to see exactly which policies are applying to what. OUs are also there for a reason ans that reason is to simplify the planning and assignment of group policies.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 22813069
I do not have this filtering set for the entire domain.  It is set for a specific OU to which I have mulitiple users for which I require policies to apply to some users and not others of the same department.  

My Organization(multi-national, over 10 000 computers) did research and approve of this method I have suggested for my local OU to which it is applied.

Caution is to be used, I agree, but it can be done...
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question