Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to setup user GPO per machine

Posted on 2009-04-01
8
Medium Priority
?
285 Views
Last Modified: 2012-05-06
Hi,
I work at a high school. the domain is W2k3 w/ XPP w/s and active directory.
I have setup two seperate GPOs, one for machine and one for user.
An OU has been setup for each classroom.
I willl assign the machine GPO to each OU and orginize the machines in the OUs according to classroom location.
then I would like to be able to assign the user GPO to the user according to the machine they are logging into. If I assign the User GPO directly to the user, it will affect thier account globaly.
Exp. I want to assign the user GPO accourding to the classroom. this way I can set different user restrictions for each classroom. I can do this with the machine GPO as the machine doesn't move around.
Is there any way to set the user GPO by the machine they are logging into?

Thank you
Al
0
Comment
Question by:lacroix_al
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 24044129
yes it is called "loopback processing"

more info http://support.microsoft.com/kb/231287
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24044137
You can use "Loopback Processing mode" with "merge" user policy: http://technet.microsoft.com/en-us/library/cc757470.aspx

SG
0
 

Author Comment

by:lacroix_al
ID: 24044291
Thank you for the reply
I'll have to look into this
AL
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:lacroix_al
ID: 24063076
ok
Great that does work

I do have one more question
After appling the loopback processing all accounts get the lockdown policy.
I have added the domain admin group to the local admin group through the restricted groups GPO.
I need the members of the domain admin group to have full access to the PC, and not get the lockdown policy.
How do I do this?
Al
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24074824
Sorry for the late respond. Weekend you know.

You can edit the security on the GPO and set "deny read" for the local admin group. (since the restricted group is added to this local group)

It's explained here:
http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html


SG
0
 

Author Comment

by:lacroix_al
ID: 24089439
snusgubben
Thank you for the reply
I am using GPMC and don't see how to set this up.
Any idea?
AL
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 2000 total points
ID: 24091081
I'm not in front of my domain atm, so I can't verify.

Check "figure 3" in this link: http://www.windowsecurity.com/articles/Delegating-Group-Policy-Privilege-using-GPMC.html


SG
0
 

Author Comment

by:lacroix_al
ID: 24091114
Ok
Sorry, I see how to set it now.
I was trying to run it on my XPP machine, but it seems it requires Vista.
It works fine on the Vista machine.
I also found this:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23768453.html

Thanks for all your help
Al
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question