?
Solved

Group Policy

Posted on 2008-10-27
10
Medium Priority
?
208 Views
Last Modified: 2013-12-05
I have a domain where the shop managers in a domain and the junior staff are administrated.

The Shop Managers and junior staff belong to a security group called "SuburbNameShop" and also the Shop Managers belong to a second one called "shopManagers".
 
How would I enable Internet access for the shop managers and disable it for the junior staff?

Please be detailed. Thanks
Please be detailed. Thanks
Please be detailed. Thanks
0
Comment
Question by:crashitexchange
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 2000 total points
ID: 22811807
The first thing you need to know about group policies - is that they do not apply to groups!
Group policies actually apply to OUs not groups - while you can use security filtering its not recommended except where there is no other alternative.

You could create an OU to disable the internet at the domain level (that you apply to all users), by setting a non-existant proxy server, then create an OU called Shop Managers and more the Shop managers Accounts into the OU, then apply a group policy to remove the dummy proxy.

If you don't want to disbale internate access for all domain users then create an OU called SuburbShops and put all the user accounts for juniot staff in that, then create the GPO with the dummy proxy and apply it directly to the OU.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22811813
... see http://www.howtonetworking.com/Internet/restrictie11.htm
for details of the GPO settings
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22811951
I wish i could copy paste the solution from other sites - but i personally do not want to be a GURU of some thing written by some one else.

So, here are couple of links - which should make things crystal clear (it is as detailed as right click create new users)

1) http://www.howtonetworking.com/Internet/restrictie11.htm

2) http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23059014.html

3) http://technet.microsoft.com/en-us/magazine/cc160780.aspx

4) http://www.itnewsgroups.net/group/microsoft.public.windows.server.general/topic8080.aspx

5) http://www.theeldergeek.com/forum/index.php?showtopic=31368

If you still have problems understanding - please post your doubts and we would be glad to answer.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 70

Expert Comment

by:KCTS
ID: 22812312
>> I wish i could copy paste the solution from other sites - but i personally do not want to be a GURU of some thing written by some one else <<

Its perfectly acceptable to refer users to other sites - after all no point in re-inventing the wheel, what is not acceptable if to implictly critisie other users and then post the SAME link !

0
 
LVL 32

Expert Comment

by:nappy_d
ID: 22812543
You can apply GPO's to groups.  

I do this all the time.  The trick is to deny/allow read and/or apply security permissions to the viarous OU's to which you have applied the GPO.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22812783
As I stated earlier, Its NOT good practice to use security filtering like this on a routine basis , it can get very confusing and is almost always unnecessary, its a bit like using the DENY permission on a file or folder in that respect.

Extensive use of security filtering is almost always indicative of a badly thought out OU structure.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 22812805
To expand on what I mean create two GPO policies; one for shop admins and one for junior staff.

Policy 1 - let's call it my-shop-admins-corp
  • go to the security tab of the policy and add the group to which your shop admins belong
  • Go to the delegation tab and click on advanced
  • Click on advanced once again
  • deselect the check box "inherit permissions"
  • click on COPY
  • click on apply
  • Now remove the group authenticated users
Policy 2 - let's call it my-shop-jr_staff-corp
  • go to the security tab of the policy and add the group to which your shop admins belong
  • Go to the delegation tab and click on advanced
  • Click on advanced once again
  • deselect the check box "inherit permissions"
  • click on COPY
  • click on apply
  • Now remove the group authenticated users
  • open the GPO and browse to the following section
    • Users Config\Administrative Templates\System
  • Look for the setting "Don't Run Specified Applications"
    • Enable the policy
    • Add the Application iexplore.exe

0
 
LVL 32

Expert Comment

by:nappy_d
ID: 22812833
Let's agree to disagree, I have been using this on hundreds of computers in my domain for the past three years.  Yes it can become overwhelming if not documented.  But if the options weren't there to be used it would not be.


0
 
LVL 70

Expert Comment

by:KCTS
ID: 22812981
it IS bad practice - no doubt about that - it is designed to be used when there is no other realistic way of achiving the desired results - again I would compare it to using the DENY option in permissions.

Yes its there to be used - but it needs to be used in the correct context, If you apply all policies at the domain and then use security filtering it is very inefficient and difficult to see exactly which policies are applying to what. OUs are also there for a reason ans that reason is to simplify the planning and assignment of group policies.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 22813069
I do not have this filtering set for the entire domain.  It is set for a specific OU to which I have mulitiple users for which I require policies to apply to some users and not others of the same department.  

My Organization(multi-national, over 10 000 computers) did research and approve of this method I have suggested for my local OU to which it is applied.

Caution is to be used, I agree, but it can be done...
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question