Solved

Group Policy

Posted on 2008-10-27
10
206 Views
Last Modified: 2013-12-05
I have a domain where the shop managers in a domain and the junior staff are administrated.

The Shop Managers and junior staff belong to a security group called "SuburbNameShop" and also the Shop Managers belong to a second one called "shopManagers".
 
How would I enable Internet access for the shop managers and disable it for the junior staff?

Please be detailed. Thanks
Please be detailed. Thanks
Please be detailed. Thanks
0
Comment
Question by:crashitexchange
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 22811807
The first thing you need to know about group policies - is that they do not apply to groups!
Group policies actually apply to OUs not groups - while you can use security filtering its not recommended except where there is no other alternative.

You could create an OU to disable the internet at the domain level (that you apply to all users), by setting a non-existant proxy server, then create an OU called Shop Managers and more the Shop managers Accounts into the OU, then apply a group policy to remove the dummy proxy.

If you don't want to disbale internate access for all domain users then create an OU called SuburbShops and put all the user accounts for juniot staff in that, then create the GPO with the dummy proxy and apply it directly to the OU.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22811813
... see http://www.howtonetworking.com/Internet/restrictie11.htm
for details of the GPO settings
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22811951
I wish i could copy paste the solution from other sites - but i personally do not want to be a GURU of some thing written by some one else.

So, here are couple of links - which should make things crystal clear (it is as detailed as right click create new users)

1) http://www.howtonetworking.com/Internet/restrictie11.htm

2) http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23059014.html

3) http://technet.microsoft.com/en-us/magazine/cc160780.aspx

4) http://www.itnewsgroups.net/group/microsoft.public.windows.server.general/topic8080.aspx

5) http://www.theeldergeek.com/forum/index.php?showtopic=31368

If you still have problems understanding - please post your doubts and we would be glad to answer.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 70

Expert Comment

by:KCTS
ID: 22812312
>> I wish i could copy paste the solution from other sites - but i personally do not want to be a GURU of some thing written by some one else <<

Its perfectly acceptable to refer users to other sites - after all no point in re-inventing the wheel, what is not acceptable if to implictly critisie other users and then post the SAME link !

0
 
LVL 32

Expert Comment

by:nappy_d
ID: 22812543
You can apply GPO's to groups.  

I do this all the time.  The trick is to deny/allow read and/or apply security permissions to the viarous OU's to which you have applied the GPO.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22812783
As I stated earlier, Its NOT good practice to use security filtering like this on a routine basis , it can get very confusing and is almost always unnecessary, its a bit like using the DENY permission on a file or folder in that respect.

Extensive use of security filtering is almost always indicative of a badly thought out OU structure.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 22812805
To expand on what I mean create two GPO policies; one for shop admins and one for junior staff.

Policy 1 - let's call it my-shop-admins-corp
  • go to the security tab of the policy and add the group to which your shop admins belong
  • Go to the delegation tab and click on advanced
  • Click on advanced once again
  • deselect the check box "inherit permissions"
  • click on COPY
  • click on apply
  • Now remove the group authenticated users
Policy 2 - let's call it my-shop-jr_staff-corp
  • go to the security tab of the policy and add the group to which your shop admins belong
  • Go to the delegation tab and click on advanced
  • Click on advanced once again
  • deselect the check box "inherit permissions"
  • click on COPY
  • click on apply
  • Now remove the group authenticated users
  • open the GPO and browse to the following section
    • Users Config\Administrative Templates\System
  • Look for the setting "Don't Run Specified Applications"
    • Enable the policy
    • Add the Application iexplore.exe

0
 
LVL 32

Expert Comment

by:nappy_d
ID: 22812833
Let's agree to disagree, I have been using this on hundreds of computers in my domain for the past three years.  Yes it can become overwhelming if not documented.  But if the options weren't there to be used it would not be.


0
 
LVL 70

Expert Comment

by:KCTS
ID: 22812981
it IS bad practice - no doubt about that - it is designed to be used when there is no other realistic way of achiving the desired results - again I would compare it to using the DENY option in permissions.

Yes its there to be used - but it needs to be used in the correct context, If you apply all policies at the domain and then use security filtering it is very inefficient and difficult to see exactly which policies are applying to what. OUs are also there for a reason ans that reason is to simplify the planning and assignment of group policies.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 22813069
I do not have this filtering set for the entire domain.  It is set for a specific OU to which I have mulitiple users for which I require policies to apply to some users and not others of the same department.  

My Organization(multi-national, over 10 000 computers) did research and approve of this method I have suggested for my local OU to which it is applied.

Caution is to be used, I agree, but it can be done...
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article runs through the process of deploying a single EXE application selectively to a group of user.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question