Solved

How to setup user GPO per machine

Posted on 2009-04-01
8
282 Views
Last Modified: 2012-05-06
Hi,
I work at a high school. the domain is W2k3 w/ XPP w/s and active directory.
I have setup two seperate GPOs, one for machine and one for user.
An OU has been setup for each classroom.
I willl assign the machine GPO to each OU and orginize the machines in the OUs according to classroom location.
then I would like to be able to assign the user GPO to the user according to the machine they are logging into. If I assign the User GPO directly to the user, it will affect thier account globaly.
Exp. I want to assign the user GPO accourding to the classroom. this way I can set different user restrictions for each classroom. I can do this with the machine GPO as the machine doesn't move around.
Is there any way to set the user GPO by the machine they are logging into?

Thank you
Al
0
Comment
Question by:lacroix_al
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 24044129
yes it is called "loopback processing"

more info http://support.microsoft.com/kb/231287
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24044137
You can use "Loopback Processing mode" with "merge" user policy: http://technet.microsoft.com/en-us/library/cc757470.aspx

SG
0
 

Author Comment

by:lacroix_al
ID: 24044291
Thank you for the reply
I'll have to look into this
AL
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:lacroix_al
ID: 24063076
ok
Great that does work

I do have one more question
After appling the loopback processing all accounts get the lockdown policy.
I have added the domain admin group to the local admin group through the restricted groups GPO.
I need the members of the domain admin group to have full access to the PC, and not get the lockdown policy.
How do I do this?
Al
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24074824
Sorry for the late respond. Weekend you know.

You can edit the security on the GPO and set "deny read" for the local admin group. (since the restricted group is added to this local group)

It's explained here:
http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html


SG
0
 

Author Comment

by:lacroix_al
ID: 24089439
snusgubben
Thank you for the reply
I am using GPMC and don't see how to set this up.
Any idea?
AL
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 500 total points
ID: 24091081
I'm not in front of my domain atm, so I can't verify.

Check "figure 3" in this link: http://www.windowsecurity.com/articles/Delegating-Group-Policy-Privilege-using-GPMC.html


SG
0
 

Author Comment

by:lacroix_al
ID: 24091114
Ok
Sorry, I see how to set it now.
I was trying to run it on my XPP machine, but it seems it requires Vista.
It works fine on the Vista machine.
I also found this:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23768453.html

Thanks for all your help
Al
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question