+ Post New Thread
Results 1 to 6 of 6
Windows Server 2008 R2 Thread, using group policy to remove last user log on - propper way? in Technical; Looking for a bit of advice after the other weeks mess I made in GP . I want to disable ...
  1. #1

    Join Date
    Jul 2010
    Posts
    565
    Thank Post
    67
    Thanked 22 Times in 19 Posts
    Rep Power
    13

    using group policy to remove last user log on - propper way?

    Looking for a bit of advice after the other weeks mess I made in GP.

    I want to disable the last user been displayed in our IT room when the next user presses ctrl+alt+del In essence to make the new user log on as themselves. Were a Primary school so the younger kids dont have a password.

    I have found the settings that I need to change >security settings > local policies > security options > interactive logon .

    Now in the past i have always created a GP in the domains > school.local section ands then assigned it to either computers or users or authenticated users in the GP. But have been told that this is wrong/bad??? so where in the GP management should i create this GP ?

    Cheers

  2. #2
    Valyyn's Avatar
    Join Date
    Jun 2011
    Location
    Portsmouth
    Posts
    202
    Thank Post
    21
    Thanked 62 Times in 44 Posts
    Rep Power
    54
    If it helps, this is how we have things set up.
    The default Computers and Users folders we don't use - we just leave the default accounts in those.

    We've then got Seperate OUs (organizational units) called "<schoolname> Computers" and "<schoolname> Users", into which all our users and computers go (sub-divided into further groups by room/dept etc).

    Now for something like this, I have one policy in the top level of my "<schoolname> Computers" OU which has all the base settings in it (the settings which apply to all machines, regardless of where they are), which includes the setting you mention here. I then have further policies on the OUs below it to further specifify things for just staff or just student machines etc.

    Not sure if I've explained this very well, but I hope it's of some help and please ask if you want me to clarify anything!

  3. #3

    Join Date
    Jul 2010
    Posts
    565
    Thank Post
    67
    Thanked 22 Times in 19 Posts
    Rep Power
    13
    Cheers@valyyn
    Here is a screenshot of what I seescreenshot.png

    As you can see most of the stuff is just at the top level. I mainly use it to deploy software msi so for example the webplusx5 is there but just deploys to the ICT room. I do this is the security filtering of the GP. When I was training this is what I got told. Am assuming this is not the best way now?
    As you can see there is a folder for staff and one for students but no computers?
    In active directory in the computer sections I have created security groups for class rooms and one for the IT room.

  4. #4
    Valyyn's Avatar
    Join Date
    Jun 2011
    Location
    Portsmouth
    Posts
    202
    Thank Post
    21
    Thanked 62 Times in 44 Posts
    Rep Power
    54
    Ah, ok. Here's a screenshot of mine, so I pretty much have the different policies set by OU, getting more specific as you go deeper into the tree.
    Mine's actually a bit messy at the moment as there were some policies that I separated while testing them and I need to merge into one (like the Chrome ones)



    In all honesty, I'm not sure what is the best way to do things (security filtering vs OUs) - this is just the way I was first shown so the way I've always done it!

    Maybe someone else will weigh in on the pros and cons of each - would be good to know to be honest

    (Edited to shrink the image preview a bit!)
    Last edited by Valyyn; 17th December 2013 at 11:00 AM.

  5. Thanks to Valyyn from:

    MattDLEA (17th December 2013)

  6. #5
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,781
    Thank Post
    213
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    There is a lack of schema planning here really. The only issue is gpo trouble shooting with security filters etc. making it difficult to diagnose and may lead you to doing some technical hurdles in the future with new GPOs.

    I've chosen with my schema to have 1 users ou's with sub ous for staff, admin pupils and 1 computers ou further subdivided by 12 rooms (including server).

    I can put general gpos in the root ou and specific gpos in the relevant sub ou. This makes GPO hunting easier. as they're also divided by type (computer/ user settings) and relevancy.

    Also means I don't have to worry about a new GPO affecting large numbers of PCs by accident.

    Capture.png

  7. Thanks to chazzy2501 from:

    MattDLEA (17th December 2013)

  8. #6

    Join Date
    Jul 2010
    Posts
    565
    Thank Post
    67
    Thanked 22 Times in 19 Posts
    Rep Power
    13
    Cheers @Chazzy So the way I have it at the moment would be a nightmare in a larger setting?
    Is it going to be difficult for me to change it into something better like your solution?

SHARE:
+ Post New Thread

Similar Threads

  1. Using Group policy to remove Library Location.
    By VictorK in forum Windows 7
    Replies: 1
    Last Post: 26th September 2013, 02:47 PM
  2. Using Group Policy to set up Printers
    By sluggster66 in forum Windows Server 2008 R2
    Replies: 4
    Last Post: 21st November 2012, 08:56 AM
  3. using group policy to manage windows 7 systems
    By goldencalve in forum Windows Server 2000/2003
    Replies: 4
    Last Post: 29th January 2010, 09:39 AM
  4. Using Group Policy to allow a user to install software
    By kaphc in forum Windows Server 2000/2003
    Replies: 3
    Last Post: 16th December 2009, 08:37 PM
  5. Replies: 8
    Last Post: 16th November 2009, 10:08 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •