?
Solved

Applying Group Policy to lock down workstations to specific users

Posted on 2009-05-20
4
Medium Priority
?
740 Views
Last Modified: 2012-05-07
Hi there,

Using XP client and Win 2003 Server

I am trying to lock down domain workstations so that when domain users log on, they receive a very limited desktop, icons, etc.  However on the same workstation, if a member of the admin group log on, they get far more icons, run command, etc.  I have had no success so far

I have created an OU called Workstations, and the pc's will go in here.  Against this i need to apply a GPO which will give me what i need - do i need to create two GPO's - one for users and one for admins?  The changes i am making in the GPO are User settings i believe, however, the GPO when applied only picks up the Computer settings according to gpresult on the workstation.

Anyone have any resources or answers?
Thanks in advance
0
Comment
Question by:neal2206
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 24432013
If you're trying to apply user specific GPO's, you need to apply them to a container with users.
0
 

Author Comment

by:neal2206
ID: 24432064
Thanks for the reply..
This OU will only contain workstations, our users all live in the 'users' container.  It is a user specific GPO in the respect that when users in the admin group log on, they will get increased rights to the pc, whereas those in the users group require a very limited set of options.  I vaguely recall this can be done somehow but cannot identify how..
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 24432722
So a GPO that contains user settings that is linked to an OU that only contains computers won't be applied.   If you want the user settings to apply to the users you have a few options.
1.  Link the user GPO to the OU where your users are
2.  Use loopback processing.  GP MVP Darren Mar-Elia has a great overview on loopback here
http://sdmsoftware.com/blog/2009/01/please_explain_loopback_proces.html
So lets say you want a group (like admins) to not receive a policy.  For that you can use security filtering.   More on security filtering here
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Thanks
Mike
0
 

Author Comment

by:neal2206
ID: 24432883
Excellent - i have stumbled across the loopback processing option and it works well for me.

Many thanks!
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question