Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to setup user GPO per machine

Posted on 2009-04-01
8
Medium Priority
?
286 Views
Last Modified: 2012-05-06
Hi,
I work at a high school. the domain is W2k3 w/ XPP w/s and active directory.
I have setup two seperate GPOs, one for machine and one for user.
An OU has been setup for each classroom.
I willl assign the machine GPO to each OU and orginize the machines in the OUs according to classroom location.
then I would like to be able to assign the user GPO to the user according to the machine they are logging into. If I assign the User GPO directly to the user, it will affect thier account globaly.
Exp. I want to assign the user GPO accourding to the classroom. this way I can set different user restrictions for each classroom. I can do this with the machine GPO as the machine doesn't move around.
Is there any way to set the user GPO by the machine they are logging into?

Thank you
Al
0
Comment
Question by:lacroix_al
  • 4
  • 3
8 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 24044129
yes it is called "loopback processing"

more info http://support.microsoft.com/kb/231287
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24044137
You can use "Loopback Processing mode" with "merge" user policy: http://technet.microsoft.com/en-us/library/cc757470.aspx

SG
0
 

Author Comment

by:lacroix_al
ID: 24044291
Thank you for the reply
I'll have to look into this
AL
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:lacroix_al
ID: 24063076
ok
Great that does work

I do have one more question
After appling the loopback processing all accounts get the lockdown policy.
I have added the domain admin group to the local admin group through the restricted groups GPO.
I need the members of the domain admin group to have full access to the PC, and not get the lockdown policy.
How do I do this?
Al
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24074824
Sorry for the late respond. Weekend you know.

You can edit the security on the GPO and set "deny read" for the local admin group. (since the restricted group is added to this local group)

It's explained here:
http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html


SG
0
 

Author Comment

by:lacroix_al
ID: 24089439
snusgubben
Thank you for the reply
I am using GPMC and don't see how to set this up.
Any idea?
AL
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 2000 total points
ID: 24091081
I'm not in front of my domain atm, so I can't verify.

Check "figure 3" in this link: http://www.windowsecurity.com/articles/Delegating-Group-Policy-Privilege-using-GPMC.html


SG
0
 

Author Comment

by:lacroix_al
ID: 24091114
Ok
Sorry, I see how to set it now.
I was trying to run it on my XPP machine, but it seems it requires Vista.
It works fine on the Vista machine.
I also found this:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23768453.html

Thanks for all your help
Al
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question