Announcement

Collapse
No announcement yet.

Where to place GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Where to place GPO

    hi there, I'm needing to make a GPO change for one user, we have for example a GPO setup which effects authorised users which stops them from seeing my network places on the desktop. I want to change the setting for one user, the users are all in ou's my dept, sorry if I haven't explained this very well.

  • #2
    Re: Where to place GPO

    move the user into a separate ou and apply the policy on that ou?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Where to place GPO

      If I understand tolmie right, I think he/she wants the GPO to affect all but the one user.

      If this is the case then the easiest would be to move the user to another OU and not link the GPO to it. If you have invested highly in your OU structure and have several GPOs linked to the current OU then you can change the security on the GPO to Deny Apply Group Policy but this isn't recommended.
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: Where to place GPO

        Another option is using the Security Filtering. It can be done in two ways:
        1) put everyone else but User (let's say that this is the user that you don't want the restriction applied to) in a group and apply the restrictive policy only on that group.
        2) create a new policy. Change the setting you want, so the restriction is gone. Link the policy to the OU. Set the Security Filtering such, that the policy will be applied on the User only. Set the policy on a higher hierarchy level than the policy that is applied to everyone.
        Thinking loud: None of those it's something that one might call natural. After few months, it might be difficult to remember why did you do that. And what is the purpose of the group. You will have to remember to add any new user you want the policy to apply to him/her in the group. Or, if you choose the second way, you will have to remember to leave the order of the policies as it is.
        When working with settings of the GPOs, like Security Filtering or (as Jeremy already said), with permissions, you don't see the setup immediately, by looking at the policies' tree. This might leave room for errors, both for you and future guys (or girls) that will have to deal with it. It should be heavily documented (too bad Microsoft didn't think of giving us a place in GPMC to write comments on a GPO).

        So, you have a lot of options here. Your call.
        Keep the forum posted.

        Sorin Solomon


        In order to succeed, your desire for success should be greater than your fear of failure.
        -

        Comment


        • #5
          Re: Where to place GPO

          FYI
          Security Filtering is just an easy way to give a user or group the Apply Group Policy permission. Delegation is similar in that it too is just a tool to set the proper permissions for delegation.

          The reason I went straight for the permissions is because that's the only way to deny a permission.

          Sorin has some perfectly viable options that may be easier to maintain because you'll either use a group that you can put a description on or a new GPO that you can give a descriptive name.
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: Where to place GPO

            Thanks everyone for your comments, I managed to get it working before I came back here, just created a new GPO and linked it to the OU and added the users who was to receive the policy. Then enforced the policy, seems to be working fine and cant think of anything negative about the way its setup.

            Comment


            • #7
              Re: Where to place GPO

              Yup, that's basically the way Sorin suggested.
              However, for ease of administration, I would create a group, add the users to it, then add the group to the Security Filtering on the GPO instead of configuring each individual user.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #8
                Re: Where to place GPO

                Ye I understand what your saying but it's only for one user and highly unlikely that it will change. That my first GPO done.

                Cheers

                Comment


                • #9
                  Re: Where to place GPO

                  Originally posted by tolmie View Post
                  That my first GPO done.
                  Cheers
                  First of all, congratulations!
                  Second, I think that because this is your first GPO, you should test the other approaches too. This way, you will be able to feel by yourself the differences between them and the different ways to accomplish the same result.
                  Anyway, good luck. I'm glad you solved the problem.

                  Sorin Solomon


                  In order to succeed, your desire for success should be greater than your fear of failure.
                  -

                  Comment

                  Working...
                  X