+ Post New Thread
Results 1 to 13 of 13
Windows 7 Thread, Is this possible? group policy restriction on computers but for diff security groups in Technical; Hi, We are restructuring our domain for windows 7. We have created some new policys to help organise things better. ...
  1. #1

    Join Date
    Jan 2010
    Posts
    62
    Thank Post
    7
    Thanked 5 Times in 5 Posts
    Rep Power
    10

    Is this possible? group policy restriction on computers but for diff security groups

    Hi,
    We are restructuring our domain for windows 7.
    We have created some new policys to help organise things better.

    Staff Computer Policies
    Staff Computer Preferences
    Student Computer Policies
    Student Computer Preferences

    which are applied to an OU which just has the windows 7 computers in.

    Both staff and student will have different computer policys. I have tried to use security filtering, to allow students to the student ones, and staff to the staff ones, but when you log on, they do not get applied and say disabled. I have tried deneing a group to apply the policy, but still all of them wether logged in as student or staff get denied applied - Access Denied (Security Filtering).

    I have the same setup for 4 for users, and restricted it the same way, OU with users who are using win7, and it is being applied as espected.

    any ideas? anyone done this? thanks

    is it possible to have one computer OU, and apply different computer policies depending on the user group? if so how?

  2. #2
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    154
    Thank Post
    70
    Thanked 32 Times in 25 Posts
    Rep Power
    16
    Quote Originally Posted by zbjsy View Post
    Hi,
    We are restructuring our domain for windows 7.
    We have created some new policys to help organise things better.

    Staff Computer Policies
    Staff Computer Preferences
    Student Computer Policies
    Student Computer Preferences

    which are applied to an OU which just has the windows 7 computers in.

    Both staff and student will have different computer policys. I have tried to use security filtering, to allow students to the student ones, and staff to the staff ones, but when you log on, they do not get applied and say disabled. I have tried deneing a group to apply the policy, but still all of them wether logged in as student or staff get denied applied - Access Denied (Security Filtering).

    I have the same setup for 4 for users, and restricted it the same way, OU with users who are using win7, and it is being applied as espected.

    any ideas? anyone done this? thanks

    is it possible to have one computer OU, and apply different computer policies depending on the user group? if so how?
    (going off memory here). I think you need to change permissions on the gpo to apply group policy to the group "domain computers" and then add the user group you want too (eg staff). Make sure "authenticated Users" is not set to haev the policy applied as this includes all domain computers and all domain users.

    This way the computer portion of the policy is applied to all computers in the ou but the user portion of the policy is only applied to the correct user group.

  3. #3

    Join Date
    Jan 2010
    Posts
    62
    Thank Post
    7
    Thanked 5 Times in 5 Posts
    Rep Power
    10
    i dont quite follow, can you expand some more ?

  4. #4
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    154
    Thank Post
    70
    Thanked 32 Times in 25 Posts
    Rep Power
    16
    Quote Originally Posted by zbjsy View Post
    i dont quite follow, can you expand some more ?
    my apologies, i think i misunderstood your question. You want your staff and student computers in the same ou but to filter which policy is applied to the computer based on which user logs in? this wont be possible as computer policy processing is applied before any user can login.

    I would put two sub-OUs inside your computers ou, one for staff and one for students.

  5. #5

    Join Date
    Jan 2010
    Posts
    62
    Thank Post
    7
    Thanked 5 Times in 5 Posts
    Rep Power
    10
    many thanks, yes you are correct. thats what i was trying to avoid

  6. #6

    Join Date
    Dec 2007
    Posts
    864
    Thank Post
    90
    Thanked 164 Times in 139 Posts
    Rep Power
    49
    Can't you just have a Staff GPO and a Student GPO; each within the Organisation Unit where the corresponding accounts reside (Staff OU, Student OU). Then set the required Computers Policies and Preferences within each, and change the GPO Scope WMI Filtering for Windows 7.

    And then for an unique policies/preferences specifically for a computer (e.g. Printer Mapping etc); create another GPO for that computer (or the OU it resides within) and remember to enable User Group Policy loopback processing mode to enable. (Under Computer Configuration > Policies > Administrative Templates > System > Group Policy)

  7. #7
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    154
    Thank Post
    70
    Thanked 32 Times in 25 Posts
    Rep Power
    16
    Quote Originally Posted by zbjsy View Post
    many thanks, yes you are correct. thats what i was trying to avoid
    out of curiosity, why would you want to set it up this way? i find seperate OUs a hell of a lot easier to manage then trying to setup a complicated permissions based structure in group policy.

  8. #8

    Join Date
    Jan 2010
    Posts
    62
    Thank Post
    7
    Thanked 5 Times in 5 Posts
    Rep Power
    10
    problem is when a staff member logs onto a student computer, they will get the student computer policies applied

  9. #9
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    154
    Thank Post
    70
    Thanked 32 Times in 25 Posts
    Rep Power
    16
    Quote Originally Posted by zbjsy View Post
    problem is when a staff member logs onto a student computer, they will get the student computer policies applied
    yes this is true, perhaps you would be best trying to apply as much of your policies at user level rather than computer.

  10. #10

    Join Date
    Jan 2010
    Posts
    62
    Thank Post
    7
    Thanked 5 Times in 5 Posts
    Rep Power
    10
    Quote Originally Posted by Zenden View Post
    out of curiosity, why would you want to set it up this way? i find seperate OUs a hell of a lot easier to manage then trying to setup a complicated permissions based structure in group policy.
    rethinking outside the box, our current structure is like that, sub ou's classroom ou's etc.. have the option to redesign, so why not look at alternatives

  11. #11
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    154
    Thank Post
    70
    Thanked 32 Times in 25 Posts
    Rep Power
    16
    Quote Originally Posted by zbjsy View Post
    rethinking outside the box, our current structure is like that, sub ou's classroom ou's etc.. have the option to redesign, so why not look at alternatives
    fair enough, we ll to my knowledge i dont think it can be done this way since computer policies are applied earlier. I can only think to move your policies to user based rather than computer based.

  12. Thanks to Zenden from:

    zbjsy (3rd July 2013)

  13. #12
    ADMaster's Avatar
    Join Date
    May 2012
    Posts
    325
    Thank Post
    5
    Thanked 33 Times in 28 Posts
    Rep Power
    23
    I agree with Zenden, an OU structure is easier to manage. I have something like;
    Staffusers
    Staffcomps
    Studentusers
    Studentcomps

    Then sub OUs based on building / lab etc, this allows me to target the policy. I then can disable half of each policy that is disable the user section of a computer policy, and computer section of a user policy. This reduces policy processing times, but with today’s computers I don’t think you’d see a big difference.

    However it is possible to accomplish what you want with a little administrative overhead.
    Create security groups for each set of computers and Users then apply your security settings to that group.

    Also are your computers, and users in the same OU? If not you’ll need to apply the policy to both OU’s or enable loopback processing.

    Hope this helps,

  14. #13

    Join Date
    Sep 2011
    Posts
    63
    Thank Post
    9
    Thanked 8 Times in 8 Posts
    Rep Power
    14
    While i agree with the others that an OU Structure is way easier to do what you can do is

    Make a AD Group Called "Staff Computers" then in the OU or using a powershell script, add all the staff computers into the "Staff Computers" Group then in Group Policy Management click on the Staff Group Policy and Remove "Authenticated Users" then Add your "Staff Computers" and possibly Staff users groups too.

    I have done something similar for windows 8 where i still have OU Structure but had to do this to enable our admin account to work properly still as the GP I have on there uses Loopback processing

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 3
    Last Post: 15th January 2013, 01:08 PM
  2. Replies: 1
    Last Post: 9th February 2011, 05:15 PM
  3. Replies: 1
    Last Post: 26th August 2008, 01:49 PM
  4. Group policy restrict taskbar changes
    By netadmin in forum Windows
    Replies: 1
    Last Post: 30th June 2007, 12:27 PM
  5. Is This Possible?
    By Gambit in forum Scripts
    Replies: 7
    Last Post: 18th April 2007, 09:36 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •