group policy exception - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Closed Thread
 
Thread Tools Display Modes
 
Old 12-02-2005, 04:08 PM   #1 (permalink)
Enterprise SCCM\SCOM
 
jseber1982's Avatar
 
Join Date: Sep 2004
Location: Atlanta, Ga
Posts: 904
Send a message via ICQ to jseber1982 Send a message via AIM to jseber1982 Send a message via Yahoo to jseber1982
Default group policy exception

Ok i have a 2003 domain. I am trying to make it so that a group of users can only access a certain group of pcs. I want it so that whenever i bring a new group of pcs in, i dont have to make another policy for each one. So what i did was, I made a domain policy to deny the "training" users logon rights to the entire domain. I did not make this enforced. I Then made a gpo right above the training computers to allow logon, i enforced this. For some reason the training users are still getting denied. I know that on gpos, if there is a permissions conflict, the enforced one will allways take over, thats why i dont get why it isnt working.

any help, thanks
__________________

jseber1982 is offline  
Old 12-02-2005, 04:13 PM   #2 (permalink)
Master Techie
 
Join Date: Oct 2003
Posts: 2,258
Default

Most restrictive will always override. Both policies are getting there, and the most restrictive is taking presidence. Even though the propigation should use the toplevel over the lower one, you will always default to the most restrictive.
__________________

Inaris is offline  
Old 12-02-2005, 04:27 PM   #3 (permalink)
Enterprise SCCM\SCOM
 
jseber1982's Avatar
 
Join Date: Sep 2004
Location: Atlanta, Ga
Posts: 904
Send a message via ICQ to jseber1982 Send a message via AIM to jseber1982 Send a message via Yahoo to jseber1982
Default

any way to add the training pcs as an exception? I dont wanna block inheritance, cause it will block the default policy also
jseber1982 is offline  
Old 12-02-2005, 07:55 PM   #4 (permalink)
Enterprise SCCM\SCOM
 
jseber1982's Avatar
 
Join Date: Sep 2004
Location: Atlanta, Ga
Posts: 904
Send a message via ICQ to jseber1982 Send a message via AIM to jseber1982 Send a message via Yahoo to jseber1982
Default

not tryin to be smart or anything, but.... But the settings at the lowest level win when it comes to permissions. it is totally backwards than ntfs permissions. The only time that the upper level gpos win is if they are enforced. Enforced meaning the "no overide" is set.
jseber1982 is offline  
Old 12-02-2005, 07:57 PM   #5 (permalink)
S e c u r e d
 
Join Date: Feb 2005
Location: Somewhere Sunny
Posts: 3,760
Default

Could you explain exactly what you are tying to do again ?

can you include groups and permissions ?
__________________
brady is offline  
Old 12-02-2005, 08:39 PM   #6 (permalink)
Master Techie
 
Join Date: Feb 2004
Posts: 2,172
Send a message via AIM to Win2kpatcher
Default

It doesnt sound like you need a GPO to achive this, but a security group in active directory would better suit your needs. Remember when working with GPO's the order of which is dominent goes LOCAL GPO, SITE GPO, DOMAIN GPO, and OU GPO. The last one being dominent over all others.

Now if policy's are equal (have same setting configured) then the stricist setting will be dominat over the flow of the other policy. Then when you start dealing with nested OU's it gets a bit more fun. Have you ran RSoP to see perhaps where the problem is?
Win2kpatcher is offline  
Old 12-02-2005, 08:51 PM   #7 (permalink)
Master Techie
 
Join Date: Feb 2004
Posts: 2,172
Send a message via AIM to Win2kpatcher
Default

Ok this is what I would do..I dont know how large your enterprise is so it may not be for you.

You could create a security group called TRAINING PCs or whatever... add the users to this group who you wish to have the restricted access. Add this group to all your PC's in your env..now on every PC EXCEPT the ones you wish the training group to access set the TRAINING PCs group to DENY ALL ACCESS.

On the PCs you do wish to allow this group to connect to configure the security settings as needed wheater it be read only..read & write..etc..Just me recomn..
Win2kpatcher is offline  
Old 12-03-2005, 11:17 AM   #8 (permalink)
Enterprise SCCM\SCOM
 
jseber1982's Avatar
 
Join Date: Sep 2004
Location: Atlanta, Ga
Posts: 904
Send a message via ICQ to jseber1982 Send a message via AIM to jseber1982 Send a message via Yahoo to jseber1982
Default

Everywhere i have read says that lower level gpos overwrite higher ones because they are last applied. hmmmmm.

anyway

I work for a BIG company. I am in charge of setting up an internal network to serve demos n stuff. To start off, i have 3 groups.

Training
Developement
Projects

Training people can log onto only training pcs

Development can log into development machines and training pcs

Projects can log into project machines and training pcs

Each group of machines have there own pc gropup in ad. Each user group has the own group in AD.

I want to make it so that, when i give permissions to a group, i dont have to change it whenever i bring in a new group.

Right now i have OU permissions on each computer group ou. That sux, cause whenever i bring in a new project, i will have to go back to each group and edit the permissions.

If i can do a global deny for each group, and then let them have access to what they need, when i bring in a new group, it wont effet any of the other ones because they willa lready be denied.,
jseber1982 is offline  
Old 12-05-2005, 08:29 AM   #9 (permalink)
Enterprise SCCM\SCOM
 
jseber1982's Avatar
 
Join Date: Sep 2004
Location: Atlanta, Ga
Posts: 904
Send a message via ICQ to jseber1982 Send a message via AIM to jseber1982 Send a message via Yahoo to jseber1982
Default

.
jseber1982 is offline  
Old 12-05-2005, 03:33 PM   #10 (permalink)
Master Techie
 
Join Date: Oct 2003
Posts: 2,258
Default

are each machine built the same or do they have different build for each type, ie training, projects and development?
__________________

Inaris is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 08:01 PM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.