Creating a Group Policy for a Group

OK, last thing of the night that my Googlefoo can't seem to help me solve.

I have a group called "office staff"  They need their own rights and privileges from "work area" computers.  How do I create a GPO that will then give them specific rights?
Azra LyndseyNerdAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Too generic of a question. "Rights and privileges" isn't exactly useful. User rights are straightforward. Create a GPO, link it to an OU that has all of the users, and if necessary, restrict it to the specific users you want through a security group of which only they are a member.

If that doesn't cover your needs then you may need to resort to some trickery such as WMI filtering or loopback processing. Or it may not even be possible to do whatever it is you are trying to do. Which is where the "too generic" comes in. Without more info, it is tough to make a better or more concise recommendation.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Scott ThomsonCommented:
Let me elaborate on cliffs comment

Are all the users in the same OU? if so then you could set the GPO up on the ou so that all users in that OU pick up the policy.

If the users are scattered throughout the organisation.. lets say they are all managers of different departments and in different OU's such as HR, IT, Accounting etc

Then you would need to create a group that all users would be added to and set the gpo to that security group. Therefore all users who are a member of the "managers are the best" group would get the policy that may let them have unmetered internet or security access to the whole fileserver etc. and no other users would get this access unless they too were added to the group
Azra LyndseyNerdAuthor Commented:
OK, I'll try to explain a bit better.

Members of the "office staff" group need to be able to use external drives, install software, and a few other things.  I don't want to give them full administrative rights.  There's probably a few other things that I want to enable them to do that I don't want other users to be able to do (front office needs access to a different set of folders than the work area computers).  So I'd like to create a group policy that's strictly for them.

I have the same dilemma with a generic user that we call "user" who, essentially, behaves like a kiosk computer in the office.  This user needs to be super restrictive - we don't even want people changing wallpaper.

So I'm trying to figure out how to create GPOs and link them to specific groups.  

If I understand you correctly, I'll create a GPO under forest/domains/Group Policy Objects.  In this case, I'll call it "FrontOfficeStaff."  But creating the OU...  I'm not sure how to do that.  I see where I can link to an OU, and I've created the group under "Active Directory Users and Computers," it's called "Front Office Staff," it's a security group and it's set to global for the time being.

How do I tell a group "you have to follow the rules set here?"
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Azra LyndseyNerdAuthor Commented:
I'm probably going to have to have somebody hold my hand on this one, I think I get what needs to be done, I'm just not sure how to actually execute the steps to create a GPO and then make a group that follows the rules set in the GPO.
Cliff GaliherCommented:
Usually granting access to folders is done with NTFS or share permissions. Group policy doesn't need to be involved at all. Standard users also usually have access to removable drives so that shouldn't be an issue.

As for locking down the kiosk machine, this should help:

More generically, it sounds like you could use some basic group policy knowledge. You don't tell a group that "your permissions are here" when it comes to group policy. You instead define the policy (which has one ore more rules) and link it to a domain or OU. Then it will apply to everybody and everything in that OU unless you filter out what you don't want. Which is where security filters and WMI filters come in. Each one is increasingly restrictive until you get *just* the users or computers you want.

As you can see, the application can get complex quickly and it'd be far too difficult to cover all of that knowledge in an EE reply. So I'll instead recommend this book:

Jeremy does a very good job of presenting the fundamentals and then builds on that knowledge and this would get you through most of the questions you might come up with even circumspectly.
Azra LyndseyNerdAuthor Commented:
I've requested that this question be deleted for the following reason:

The first answer explains it all: the question is too generic.  I need to re-think what's going on here and then ask a better question.
Cliff GaliherCommented:
While the question itself was generic, the OP did ask follow-up questions and got good answers regarding group policy, file system, locking down machines, and further reading resources. Based on the follow-up questions and answers, this question should not be deleted.
Scott ThomsonCommented:
I think all solutions covered the question. This one should be split and the next question asked later and more specifically @author I think in this case its not really fair to close the question as the answers covered the request quite in depth. You just need to ask a follow up question next
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.