Solved

Group Policy

Posted on 2008-10-27
10
203 Views
Last Modified: 2013-12-05
I have a domain where the shop managers in a domain and the junior staff are administrated.

The Shop Managers and junior staff belong to a security group called "SuburbNameShop" and also the Shop Managers belong to a second one called "shopManagers".
 
How would I enable Internet access for the shop managers and disable it for the junior staff?

Please be detailed. Thanks
Please be detailed. Thanks
Please be detailed. Thanks
0
Comment
Question by:crashitexchange
  • 5
  • 4
10 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
Comment Utility
The first thing you need to know about group policies - is that they do not apply to groups!
Group policies actually apply to OUs not groups - while you can use security filtering its not recommended except where there is no other alternative.

You could create an OU to disable the internet at the domain level (that you apply to all users), by setting a non-existant proxy server, then create an OU called Shop Managers and more the Shop managers Accounts into the OU, then apply a group policy to remove the dummy proxy.

If you don't want to disbale internate access for all domain users then create an OU called SuburbShops and put all the user accounts for juniot staff in that, then create the GPO with the dummy proxy and apply it directly to the OU.
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
... see http://www.howtonetworking.com/Internet/restrictie11.htm
for details of the GPO settings
0
 
LVL 33

Expert Comment

by:Exchange_Geek
Comment Utility
I wish i could copy paste the solution from other sites - but i personally do not want to be a GURU of some thing written by some one else.

So, here are couple of links - which should make things crystal clear (it is as detailed as right click create new users)

1) http://www.howtonetworking.com/Internet/restrictie11.htm

2) http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23059014.html

3) http://technet.microsoft.com/en-us/magazine/cc160780.aspx

4) http://www.itnewsgroups.net/group/microsoft.public.windows.server.general/topic8080.aspx

5) http://www.theeldergeek.com/forum/index.php?showtopic=31368

If you still have problems understanding - please post your doubts and we would be glad to answer.
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
>> I wish i could copy paste the solution from other sites - but i personally do not want to be a GURU of some thing written by some one else <<

Its perfectly acceptable to refer users to other sites - after all no point in re-inventing the wheel, what is not acceptable if to implictly critisie other users and then post the SAME link !

0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
You can apply GPO's to groups.  

I do this all the time.  The trick is to deny/allow read and/or apply security permissions to the viarous OU's to which you have applied the GPO.
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 70

Expert Comment

by:KCTS
Comment Utility
As I stated earlier, Its NOT good practice to use security filtering like this on a routine basis , it can get very confusing and is almost always unnecessary, its a bit like using the DENY permission on a file or folder in that respect.

Extensive use of security filtering is almost always indicative of a badly thought out OU structure.
0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
To expand on what I mean create two GPO policies; one for shop admins and one for junior staff.

Policy 1 - let's call it my-shop-admins-corp
  • go to the security tab of the policy and add the group to which your shop admins belong
  • Go to the delegation tab and click on advanced
  • Click on advanced once again
  • deselect the check box "inherit permissions"
  • click on COPY
  • click on apply
  • Now remove the group authenticated users
Policy 2 - let's call it my-shop-jr_staff-corp
  • go to the security tab of the policy and add the group to which your shop admins belong
  • Go to the delegation tab and click on advanced
  • Click on advanced once again
  • deselect the check box "inherit permissions"
  • click on COPY
  • click on apply
  • Now remove the group authenticated users
  • open the GPO and browse to the following section
    • Users Config\Administrative Templates\System
  • Look for the setting "Don't Run Specified Applications"
    • Enable the policy
    • Add the Application iexplore.exe

0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
Let's agree to disagree, I have been using this on hundreds of computers in my domain for the past three years.  Yes it can become overwhelming if not documented.  But if the options weren't there to be used it would not be.


0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
it IS bad practice - no doubt about that - it is designed to be used when there is no other realistic way of achiving the desired results - again I would compare it to using the DENY option in permissions.

Yes its there to be used - but it needs to be used in the correct context, If you apply all policies at the domain and then use security filtering it is very inefficient and difficult to see exactly which policies are applying to what. OUs are also there for a reason ans that reason is to simplify the planning and assignment of group policies.
0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
I do not have this filtering set for the entire domain.  It is set for a specific OU to which I have mulitiple users for which I require policies to apply to some users and not others of the same department.  

My Organization(multi-national, over 10 000 computers) did research and approve of this method I have suggested for my local OU to which it is applied.

Caution is to be used, I agree, but it can be done...
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Suggested Solutions

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now