Windows Server 2008 Thread, GPPs: "Elevating" user A on computer X in Technical; I wanted the ability to elevate (turn off some bits of policy for) domain user A when they log on ...
29th July 2009, 12:57 AM #1
GPPs: "Elevating" user A on computer X
I wanted the ability to elevate (turn off some bits of policy for) domain user A when they log on to a specific domain computer X, but not when they log on to domain computer Y. Further, it must *not* affect domain user B when they log on to the same computer X, so good old loopback won't help. And getting user A to logon with a local account on computer X definitely won't cut it.
I didn't think I'd ever get around this without some clunky code, but eventually I made this recipe:
a) Make and link a GPO with higher precedence than the GPOs containing settings we want to override.
b) Using Computer GPP Local Users and Groups add the domain user A to a local builtin group and target this at computer X. Usable local groups are Guests, Power Users, Administrators.
[With this GPP you can type any old junk in for a group name, but it only works if GPP can resolve the group name to a SID. Because I was doing this on a 2K8 DC I couldn't browse for the local group and it didn't get the SID, so I fixed that manually by just editing the well-known SID into the relevant XML file in Sysvol]
c) Using User GPP make a registry collection and target *the collection* at members of that local builtin group. Within that collection add lots of nicely arranged un-targeted items to undo various bits of normal policy.
Now whenever I want to elevate one or more users on one or machines, I just go and repeat step b) above which is relatively easy.
Last edited by PiqueABoo; 29th July 2009 at 01:15 AM.
IDG Tech News
By CPLTD in forum General Chat
Last Post: 4th September 2009, 10:12 PM
By JOrdan01070 in forum General Chat
Last Post: 1st February 2009, 09:51 PM
Last Post: 28th September 2006, 08:06 PM
By mattpant in forum Windows
Last Post: 14th August 2006, 03:37 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)