Group Policy verbiage

Printable View

29th March 2012, 03:57 PM
rslulz

1 Attachment(s)

Group Policy verbiage

I know it's not exactly windows server 2008 r2, but I'm rather sure the group policy management is the same.

I'm on a windows small biz server making a group policy, and my question is under security filtering it has Name: Authenticated users, and then the list of computers I added. The group policy is to disable control panel access, and I'd like to know if I implement this will it hit all authorized users or just the computers I specified. I know it's a bit of a silly question, but I'm doing this in production and would rather posted a dumb question than disable control panel on my client's entire network.
29th March 2012, 04:06 PM
SYNACK

It'll kill it for all users, you want to put the users in question in a new sub OU and apply the gpo to that or (not as good) remove auth users from the perms you posted.
29th March 2012, 04:11 PM
rslulz

I figured that was the case, but wanted to be sure so after removing auth users it would just hit the specified machines/users I have designated?

Thank you Synack for your quick response!
29th March 2012, 04:15 PM
SYNACK

Is it a peruser or percomputer policy, you should apply to users or computers, there is also a time penalty for using perms to filter GPOs instead of OUs.
29th March 2012, 04:20 PM
rslulz

I'd like to disable it via the computer level, but I'm thinking it would be better to do it via user. End goal is to not allow control panel or admin rights on six machines on the production floor, and disable internet access (I did that via dhcp by breaking the router in a reservation attached to their mac address)
29th March 2012, 04:26 PM
SYNACK

Two seporate policies, one for machines, one of users each applied to an ou containing the users or computers. User one blocks it for those users everywhere. Per machine blocks it for all users on that machine.

If you want it just for those users, only on those machines you may need to use loopback policy processing or rethink your objective.
29th March 2012, 04:28 PM
rslulz

I'll just set it to the computer level thank you very much for your help Synack!
29th March 2012, 07:16 PM
rslulz

Synack after thinking about it I'd need to be able to log in with my admin account and access control panel. So after all looks like I'm going username route.
30th March 2012, 07:31 AM
SYNACK

Quote:

Originally Posted by rslulz

Synack after thinking about it I'd need to be able to log in with my admin account and access control panel. So after all looks like I'm going username route.

Yeap, thats probably the easiest way to handle it.