• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 288
  • Last Modified:

How to setup user GPO per machine

Hi,
I work at a high school. the domain is W2k3 w/ XPP w/s and active directory.
I have setup two seperate GPOs, one for machine and one for user.
An OU has been setup for each classroom.
I willl assign the machine GPO to each OU and orginize the machines in the OUs according to classroom location.
then I would like to be able to assign the user GPO to the user according to the machine they are logging into. If I assign the User GPO directly to the user, it will affect thier account globaly.
Exp. I want to assign the user GPO accourding to the classroom. this way I can set different user restrictions for each classroom. I can do this with the machine GPO as the machine doesn't move around.
Is there any way to set the user GPO by the machine they are logging into?

Thank you
Al
0
lacroix_al
Asked:
lacroix_al
  • 4
  • 3
1 Solution
 
AkhaterCommented:
yes it is called "loopback processing"

more info http://support.microsoft.com/kb/231287
0
 
snusgubbenCommented:
You can use "Loopback Processing mode" with "merge" user policy: http://technet.microsoft.com/en-us/library/cc757470.aspx

SG
0
 
lacroix_alAuthor Commented:
Thank you for the reply
I'll have to look into this
AL
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
lacroix_alAuthor Commented:
ok
Great that does work

I do have one more question
After appling the loopback processing all accounts get the lockdown policy.
I have added the domain admin group to the local admin group through the restricted groups GPO.
I need the members of the domain admin group to have full access to the PC, and not get the lockdown policy.
How do I do this?
Al
0
 
snusgubbenCommented:
Sorry for the late respond. Weekend you know.

You can edit the security on the GPO and set "deny read" for the local admin group. (since the restricted group is added to this local group)

It's explained here:
http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html


SG
0
 
lacroix_alAuthor Commented:
snusgubben
Thank you for the reply
I am using GPMC and don't see how to set this up.
Any idea?
AL
0
 
snusgubbenCommented:
I'm not in front of my domain atm, so I can't verify.

Check "figure 3" in this link: http://www.windowsecurity.com/articles/Delegating-Group-Policy-Privilege-using-GPMC.html


SG
0
 
lacroix_alAuthor Commented:
Ok
Sorry, I see how to set it now.
I was trying to run it on my XPP machine, but it seems it requires Vista.
It works fine on the Vista machine.
I also found this:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23768453.html

Thanks for all your help
Al
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now