Announcement

Collapse
No announcement yet.

GPO processing

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO processing

    hi, I have created a gpo to disable write access to usb in the user configuration. the default domain policy is not enabled for the same setting - both gpos are in the same ou. default domain has a link order of 1 and usb has link order of 4 yet usb is processed. I thought the lower link order should take precedence?

  • #2
    Re: GPO processing

    "Not enabled" means precisely that - the setting is not defined, so the default policy does not modify it

    Only "enabled" and "disabled" actively affect policy settings
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: GPO processing

      thanks very much.

      as I have deny write access to removable disks enabled - will this prevent writing to all different types of usb storage devices?

      I can add a user or a computer to the security filtering of this usb gpo. am I correct that if I add a computer, then anyone who logs on to this pc will be unable to write to usb? and anyone who is not on the list can write?

      is above dependent on if the computer or the user configuration is edited in group policy management editor/

      Comment


      • #4
        Re: GPO processing

        Originally posted by Josh 2009 View Post
        am I correct that if I add a computer, then anyone who logs on to this pc will be unable to write to usb?
        Only if that setting is configured under the Computer Configuration of your GPO. Will elaborate in my next answer.
        Originally posted by Josh
        is above dependent on if the computer or the user configuration is edited in group policy management editor/
        Yes. User and computer accounts are controlled by their respective configuration templates in the GPO. In order to apply this to computer accounts, you would use the Computer Configuration side of the GPO, and it would apply to anyone who logs in to the PC. Then you would just need to add new computers to the OU in which this GPO is applied in order for them to use the same policy.

        Comment

        Working...
        X