Windows 2003 Server Policies

[Jawloms]

Hiya,

I'm pretty new to Group Policies and have a slight problem with what I'm setting up. I'm using the Group Policy Management Console rather than just the built-in stuff. I want all staff and all pupils to be tied right down on the computer suite PC's but staff to have free roam on their laptops and Administrators to have free roam over everything. I figured the best way to do this is to apply the policy which restricts access to just about everything to the OU containing the suite of computers, so I have done so but I have the following problem;

When selecting the policy in the left pane and choosing the Scope tab in the right, at the bottom if I only add staff and pupils the policy doesn't apply. Running the Group Policy Results Wizard it says that the policy is inaccessible. I found a couple of websites that say that Domain Admins need to be on any policy otherwise this happens.

When adding Administrators to the policy, it applies to the Administrators who log in to the PC too despite the fact that under the Delegation tab Domain admins don't have 'Apply policy' checked. Only Staff and Pupils have this checked.

I've got the loopback processing mode enabled too.

Can anyone help me get a policy to apply to only apply to my staff and pupils groups on a suite of PC's please? Obviously I can't apply the policy to the OU containing the pupils and then the OU containing the staff too because that would mean the staff would be restricted when they log in on their laptops too.

Thanks a lot

Stuart

[pallen]

Loopback will apply the user settings regardless of who logs on. If you have applied settings in the computer group you will need to change them when either staff or admin logon to make them "reset" to the original configuration.

I would have thought that the restrictions you would be setting are the same for all suites of PCs execpt the laptops for staff? If this is the case you could just make the laptops a seperate case and lockdown the rest of computers the same by using the user configuration.

This has happened to me when I tried to make changes per computer group and found some interesting results with loopback enabled. I ended up making changes to the user groups and logon scripts to make the desired effect.

[Michael]

What I usually do is create a standard local account on all laptops. This gives staff full access to the laptop and is also suitable for them to use at home for planning etc...

You can do this from the MMC