group policy exception

[jseber1982]

Ok i have a 2003 domain. I am trying to make it so that a group of users can only access a certain group of pcs. I want it so that whenever i bring a new group of pcs in, i dont have to make another policy for each one. So what i did was, I made a domain policy to deny the "training" users logon rights to the entire domain. I did not make this enforced. I Then made a gpo right above the training computers to allow logon, i enforced this. For some reason the training users are still getting denied. I know that on gpos, if there is a permissions conflict, the enforced one will allways take over, thats why i dont get why it isnt working.

any help, thanks

 

[Inaris]

Most restrictive will always override. Both policies are getting there, and the most restrictive is taking presidence. Even though the propigation should use the toplevel over the lower one, you will always default to the most restrictive.

 

[jseber1982]

any way to add the training pcs as an exception? I dont wanna block inheritance, cause it will block the default policy also

 

[jseber1982]

not tryin to be smart or anything, but.... But the settings at the lowest level win when it comes to permissions. it is totally backwards than ntfs permissions. The only time that the upper level gpos win is if they are enforced. Enforced meaning the "no overide" is set.

 

[brady]

Could you explain exactly what you are tying to do again ?

can you include groups and permissions ?

 

[Win2kpatcher]

It doesnt sound like you need a GPO to achive this, but a security group in active directory would better suit your needs. Remember when working with GPO's the order of which is dominent goes LOCAL GPO, SITE GPO, DOMAIN GPO, and OU GPO. The last one being dominent over all others.

Now if policy's are equal (have same setting configured) then the stricist setting will be dominat over the flow of the other policy. Then when you start dealing with nested OU's it gets a bit more fun. Have you ran RSoP to see perhaps where the problem is?

 

[Win2kpatcher]

Ok this is what I would do..I dont know how large your enterprise is so it may not be for you.

You could create a security group called TRAINING PCs or whatever... add the users to this group who you wish to have the restricted access. Add this group to all your PC's in your env..now on every PC EXCEPT the ones you wish the training group to access set the TRAINING PCs group to DENY ALL ACCESS.

On the PCs you do wish to allow this group to connect to configure the security settings as needed wheater it be read only..read & write..etc..Just me recomn..

 

[jseber1982]

Everywhere i have read says that lower level gpos overwrite higher ones because they are last applied. hmmmmm.

anyway

I work for a BIG company. I am in charge of setting up an internal network to serve demos n stuff. To start off, i have 3 groups.

Training
Developement
Projects

Training people can log onto only training pcs

Development can log into development machines and training pcs

Projects can log into project machines and training pcs

Each group of machines have there own pc gropup in ad. Each user group has the own group in AD.

I want to make it so that, when i give permissions to a group, i dont have to change it whenever i bring in a new group.

Right now i have OU permissions on each computer group ou. That sux, cause whenever i bring in a new project, i will have to go back to each group and edit the permissions.

If i can do a global deny for each group, and then let them have access to what they need, when i bring in a new group, it wont effet any of the other ones because they willa lready be denied.,

 

[jseber1982]

.

 

[Inaris]

are each machine built the same or do they have different build for each type, ie training, projects and development?