Windows Server 2008 R2 Thread, using group policy to remove last user log on - propper way? in Technical; Looking for a bit of advice after the other weeks mess I made in GP .
I want to disable ...
17th December 2013, 10:11 AM #1
using group policy to remove last user log on - propper way?
Looking for a bit of advice after the other weeks mess I made in GP.
I want to disable the last user been displayed in our IT room when the next user presses ctrl+alt+del In essence to make the new user log on as themselves. Were a Primary school so the younger kids dont have a password.
I have found the settings that I need to change >security settings > local policies > security options > interactive logon .
Now in the past i have always created a GP in the domains > school.local section ands then assigned it to either computers or users or authenticated users in the GP. But have been told that this is wrong/bad??? so where in the GP management should i create this GP ?
17th December 2013, 10:37 AM #2
If it helps, this is how we have things set up.
The default Computers and Users folders we don't use - we just leave the default accounts in those.
We've then got Seperate OUs (organizational units) called "<schoolname> Computers" and "<schoolname> Users", into which all our users and computers go (sub-divided into further groups by room/dept etc).
Now for something like this, I have one policy in the top level of my "<schoolname> Computers" OU which has all the base settings in it (the settings which apply to all machines, regardless of where they are), which includes the setting you mention here. I then have further policies on the OUs below it to further specifify things for just staff or just student machines etc.
Not sure if I've explained this very well, but I hope it's of some help and please ask if you want me to clarify anything!
17th December 2013, 10:48 AM #3
Here is a screenshot of what I seescreenshot.png
As you can see most of the stuff is just at the top level. I mainly use it to deploy software msi so for example the webplusx5 is there but just deploys to the ICT room. I do this is the security filtering of the GP. When I was training this is what I got told. Am assuming this is not the best way now?
As you can see there is a folder for staff and one for students but no computers?
In active directory in the computer sections I have created security groups for class rooms and one for the IT room.
17th December 2013, 10:58 AM #4
Ah, ok. Here's a screenshot of mine, so I pretty much have the different policies set by OU, getting more specific as you go deeper into the tree.
Mine's actually a bit messy at the moment as there were some policies that I separated while testing them and I need to merge into one (like the Chrome ones)
In all honesty, I'm not sure what is the best way to do things (security filtering vs OUs) - this is just the way I was first shown so the way I've always done it!
Maybe someone else will weigh in on the pros and cons of each - would be good to know to be honest
(Edited to shrink the image preview a bit!)
Last edited by Valyyn; 17th December 2013 at 11:00 AM.
Thanks to Valyyn from:
MattDLEA (17th December 2013)
17th December 2013, 12:20 PM #5
There is a lack of schema planning here really. The only issue is gpo trouble shooting with security filters etc. making it difficult to diagnose and may lead you to doing some technical hurdles in the future with new GPOs.
I've chosen with my schema to have 1 users ou's with sub ous for staff, admin pupils and 1 computers ou further subdivided by 12 rooms (including server).
I can put general gpos in the root ou and specific gpos in the relevant sub ou. This makes GPO hunting easier. as they're also divided by type (computer/ user settings) and relevancy.
Also means I don't have to worry about a new GPO affecting large numbers of PCs by accident.
Thanks to chazzy2501 from:
MattDLEA (17th December 2013)
17th December 2013, 12:33 PM #6
Cheers @Chazzy So the way I have it at the moment would be a nightmare in a larger setting?
Is it going to be difficult for me to change it into something better like your solution?
By VictorK in forum Windows 7
Last Post: 26th September 2013, 02:47 PM
By sluggster66 in forum Windows Server 2008 R2
Last Post: 21st November 2012, 08:56 AM
By goldencalve in forum Windows Server 2000/2003
Last Post: 29th January 2010, 09:39 AM
By kaphc in forum Windows Server 2000/2003
Last Post: 16th December 2009, 08:37 PM
By fox1977 in forum Windows 7
Last Post: 16th November 2009, 10:08 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)