#145664 - 2005-08-16 03:16 PM
Re: AD GPO Gurus - Group Exceptions
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
Quote:
Not sure I follow... no local administration required. Everything is done at the OU. GPOs have an ACL so you simply remove whoever you don't want it to apply to.
Yeah, this is the way I thought of going, but I just don't know AD well enough to know if I'm likely to bugger things up.
What I'd need to do is add an ACL which explicitly denies access to admins. Would that deny access to manage the GPO as well? Or would it simply stop the GPO being applied?
I could just try it and see what happens, but I'd rather get a consensus on the best approach from you guys with AD experience first!
|
Top
|
|
|
|
#145669 - 2005-08-17 10:43 AM
Re: AD GPO Gurus - Group Exceptions
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
Quote:
Well the entire picture and reason was not posted.
That's quite deliberate - the specifics are not at all relevant to the solution. There should be enough information in the post (including the fact that there are W2K servers!) to answer the question.
In fact I should have avoided mentioning servers at all - the working solution will be used for example with single purpose shop floor devices such as process management terminals.
I kept the information to a minumum as I'm after a general solution, not one specific to a limited situation. The technique of limiting the scope of the GPO should not be bound to equipment type.
I'll try the suggestions and let you know how I get on.
|
Top
|
|
|
|
#145670 - 2005-08-17 11:50 AM
Re: AD GPO Gurus - Group Exceptions
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
OK, from reading the referenced documents it looks like I need a combination of Group Policy loopback to effect user GPOs specific to the computer OU and ACLs to restrict the settings to non-admins.
Piece of cake
|
Top
|
|
|
|
#145674 - 2005-08-17 01:32 PM
Re: AD GPO Gurus - Group Exceptions
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
Quote:
Yes. Policies are applied one after one. And it is generally recommended to have as few as possible, and disable unused User Configuration Settings or Computer Configuration Settings if there isn't any changes, for each GPO. A client shouldn't be hit by more than 5-10 GPO's in total (user + computer).
Do you mean set to "not defined" rather than "disabled"? I assume that "disabled" is an active setting, so will increase the processing.
|
Top
|
|
|
|
#145677 - 2005-08-17 02:54 PM
Re: AD GPO Gurus - Group Exceptions
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
Quote:
btw - how was Venice ?
Hot, damned hot. Hotel food was so exceptionally good we didn't eat out in the evening which is very unusual for us - normally we only ever eat in the hotel on the first night even if we are half/full board. We were acutally in Jesolo di Lido which is about a half-hour drive from Venice. Beaches were excellent and I got a great tan.
GF has been telling everyone that it was "romantic", so I guess I must have got something right.
|
Top
|
|
|
|
Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 84 anonymous users online.
|
|
|