+ Post New Thread
Results 1 to 10 of 10
Windows Server 2008 R2 Thread, Group Policy Issues... in Technical; Basically i want to set it up so that on my network if a mamber of staff logs onto a ...
  1. #1

    Join Date
    Mar 2008
    Location
    Boston, Lincolnshire
    Posts
    189
    Thank Post
    1
    Thanked 8 Times in 8 Posts
    Rep Power
    14

    Group Policy Issues...

    Basically i want to set it up so that on my network if a mamber of staff logs onto a computer they get a password restriction policy and if a student logs onto the same machine - they get a different password policy...

    i have a policy called staff and a policy called students at top level in group policy...

    each only apply to staff or the students group in AD... works perfectly for all user configration parts of the policy... is there a loopback type thing to get it to set Machine Policy due to each user who logs on?

    spent hours on this and there is a rather dented section of wall near my desk...

  2. #2
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,475
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    52
    Hi

    My guess is all your students will be in one ou may be with different ous inside for each year. The staff will be in a different ou. Pc's will be in a Ou with a different ou for each room and servers and domain controllers will have further ou's

    What I would normally do is create another group policy inside the correct ou ie students or staff and give it an appropriate name. Then set the settings you need. In your case the settings would be for users.

    Richard

  3. #3
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,475
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    52
    Hi

    I have had a look and the password policy it is in the computer setting of under security so you might not be able to do this as the users are using the same computers.

    Richard

  4. #4

    Join Date
    Mar 2008
    Location
    Boston, Lincolnshire
    Posts
    189
    Thank Post
    1
    Thanked 8 Times in 8 Posts
    Rep Power
    14
    This must be an issue in other schools? there must be a work around?

  5. #5

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,646
    Thank Post
    1,775
    Thanked 2,158 Times in 1,596 Posts
    Rep Power
    768
    It's OK to have a computer setting policy on a User OU. You should be able to put the policy on the Student OU and a different policy on the Staff OU and it will be fine...

    ... or have the least restrictive policy at domain level and then the more restrictive policy at user OU level.

    Set up a couple of test OUs and a couple of test users and have a play.

  6. #6

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    2008? There may be others, but go look at this utility.

    Key points:

    1) Forget trying to do this with normal GPOs.
    2) You can **only** apply this to groups or users.

  7. #7

    Join Date
    Mar 2008
    Location
    Boston, Lincolnshire
    Posts
    189
    Thank Post
    1
    Thanked 8 Times in 8 Posts
    Rep Power
    14
    Quote Originally Posted by elsiegee40 View Post
    It's OK to have a computer setting policy on a User OU. You should be able to put the policy on the Student OU and a different policy on the Staff OU and it will be fine...

    ... or have the least restrictive policy at domain level and then the more restrictive policy at user OU level.

    Set up a couple of test OUs and a couple of test users and have a play.
    The way i have it setup so far is basically the computers are all in the respective OU and so are the staff and students - the GP's are set up to cover the whole of the domain. I have the Default, School, Staff and Student GPO at top level with the Student GP scope set only to Students (AD Group) and Staff scope only to Staff (AD Group).

    Each of the policies works for the User config part of the GP BUT none of the machine settings apply.

  8. #8
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    This is a question on the 70-640 practice test in the MS press book which I'm currently studying, according to the study notes you have to create an attribute for each password policy within AD and apply that attribute to the policy. Don't really know how to acheive this as I have not tried it yet but searching for adsi edit and password policies might find something on google.

    http://technet.microsoft.com/en-us/l...61(WS.10).aspx

    They seem to only apply to security groups rather than OU's as mentioned previously
    Last edited by jsnetman; 20th September 2010 at 08:35 PM.

  9. #9

    Join Date
    Mar 2008
    Location
    Boston, Lincolnshire
    Posts
    189
    Thank Post
    1
    Thanked 8 Times in 8 Posts
    Rep Power
    14
    Sorry i think i confused you the Staff (AD Group) and Student (AD Group) - are both Universal Security Groups - they double up as distro groups too

  10. #10

    Join Date
    Mar 2010
    Location
    Surrey, UK
    Posts
    120
    Thank Post
    20
    Thanked 3 Times in 3 Posts
    Rep Power
    9
    In 2008R2 you have have a user based password policy by using adsiedit to create a new msds-passwordsettings [may be worth doing a google on that] object in the password settings container of the system node. You need to create a new password retention policy in this, some of the settings of which are very verbose, but can later be edited in a more normal view. Once set up, the new policy is applied to individual users or a security group - can't remember if you can apply to an OU from within adsiedit.

    Its all much easier than it sounds and I put this off until quite late on in system deployment, but it only took about 20 minutes to achieve and test.

SHARE:
+ Post New Thread

Similar Threads

  1. Software Restriction Policy Issues
    By notalot in forum Windows
    Replies: 4
    Last Post: 18th May 2010, 03:21 PM
  2. Group Policy OU's
    By iownitcouk in forum Windows
    Replies: 3
    Last Post: 23rd February 2008, 02:24 PM
  3. Replies: 7
    Last Post: 20th December 2007, 03:45 PM
  4. Boot camp issues with group policy
    By HodgeHi in forum Wireless Networks
    Replies: 9
    Last Post: 30th October 2007, 09:08 PM
  5. group policy
    By kevin_lane in forum How do you do....it?
    Replies: 2
    Last Post: 27th July 2007, 12:17 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •