Solved

How to setup user GPO per machine

Posted on 2009-04-01
8
281 Views
Last Modified: 2012-05-06
Hi,
I work at a high school. the domain is W2k3 w/ XPP w/s and active directory.
I have setup two seperate GPOs, one for machine and one for user.
An OU has been setup for each classroom.
I willl assign the machine GPO to each OU and orginize the machines in the OUs according to classroom location.
then I would like to be able to assign the user GPO to the user according to the machine they are logging into. If I assign the User GPO directly to the user, it will affect thier account globaly.
Exp. I want to assign the user GPO accourding to the classroom. this way I can set different user restrictions for each classroom. I can do this with the machine GPO as the machine doesn't move around.
Is there any way to set the user GPO by the machine they are logging into?

Thank you
Al
0
Comment
Question by:lacroix_al
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 24044129
yes it is called "loopback processing"

more info http://support.microsoft.com/kb/231287
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24044137
You can use "Loopback Processing mode" with "merge" user policy: http://technet.microsoft.com/en-us/library/cc757470.aspx

SG
0
 

Author Comment

by:lacroix_al
ID: 24044291
Thank you for the reply
I'll have to look into this
AL
0
Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

 

Author Comment

by:lacroix_al
ID: 24063076
ok
Great that does work

I do have one more question
After appling the loopback processing all accounts get the lockdown policy.
I have added the domain admin group to the local admin group through the restricted groups GPO.
I need the members of the domain admin group to have full access to the PC, and not get the lockdown policy.
How do I do this?
Al
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24074824
Sorry for the late respond. Weekend you know.

You can edit the security on the GPO and set "deny read" for the local admin group. (since the restricted group is added to this local group)

It's explained here:
http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html


SG
0
 

Author Comment

by:lacroix_al
ID: 24089439
snusgubben
Thank you for the reply
I am using GPMC and don't see how to set this up.
Any idea?
AL
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 500 total points
ID: 24091081
I'm not in front of my domain atm, so I can't verify.

Check "figure 3" in this link: http://www.windowsecurity.com/articles/Delegating-Group-Policy-Privilege-using-GPMC.html


SG
0
 

Author Comment

by:lacroix_al
ID: 24091114
Ok
Sorry, I see how to set it now.
I was trying to run it on my XPP machine, but it seems it requires Vista.
It works fine on the Vista machine.
I also found this:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23768453.html

Thanks for all your help
Al
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ADFS Setup 4 41
DSRM password 5 42
Port to open for RDP connection to VM in DMZ ? 5 61
Windows 2008 R2 NPS not creating log file 14 42
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In-place Upgrading Dirsync to Azure AD Connect
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question