Archived from groups: microsoft.public.win2000.group_policy (
More info?)
It should work. You might try adding an individual user to the deny rights to see if
that makes a different being sure not top use "domain local" groups as per KB below.
I tested out filtering a GPO for a user that was applied via loopback processing,
while the user account existed in in a different container and it worked fine. See
the paste of my gpresult for that user below and note that I had two policies applied
via loopback processing to the OU that the computer was in [laptops] and I applied
deny permissions to one of them - Lap2-b for user "Steve" which is reflected in the
user settings of gpresult. Remember on an XP machine, it may take a couple
logon/logoffs to reflect new user policy. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;309172
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 4/3/2004 at 9:09:15 PM
RSOP results for UMBACH1\steve on STEVE-XP : Logging Mode
----------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: UMBACH1
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: D:\Documents and Settings\steve.UMBACH1
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=steve-xp,OU=laptops,DC=umbach1,DC=com
Last time Group Policy was applied: 4/3/2004 at 9:06:16 PM
Group Policy was applied from: server1-2000.umbach1.com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Lap2
Lap2-b
Default Domain Policy
Domain Main 1
Local Group Policy
The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
STEVE-XP$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
USER SETTINGS
--------------
CN=steve,CN=Users,DC=umbach1,DC=com
Last time Group Policy was applied: 4/3/2004 at 9:07:04 PM
Group Policy was applied from: server1-2000.umbach1.com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Lap2
Default Domain Policy
Domain Main 1
Local Group Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Lap2-b
Filtering: Denied (Security)
The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
Schema Admins
Domain Admins
Enterprise Admins
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
"Sean" <sblenkhorn@hotmail.com> wrote in message
news:78c29a9f.0404050503.56f0c29@posting.google.com...
> Steven,
>
> Thanks for the continued information. I did attempt to get the
> Loopback processing working, and it does in fact have the computer GPO
> applying, however I don't seem to be able to filter the security
> groups that I want. I have applied the Deny rights to the GPO for the
> security groups that I don't want to have use the GPO, but when I run
> gpresult for the user and computer, they still have the GPO in
> question applied. Should gpresult not pick up on this right away? (I
> did do a gpupdate on the server as well)
>
> Thanks.
>
>
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:<3pKbc.180915$po.990555@attbi_s52>...
> > I believe you can use loopback processing and "filter" it - in other words for
the
> > GPO in the OU where the computer resides you would give deny apply permissions to
the
> > administrators and teachers. See the link below on GPO and how to filter.
> >
> >
http://support.microsoft.com/default.aspx?scid=kb;en-us;322176
> >
> > Your gpresult does indicate that the GPO's are empty for associated user and
computer
> > policy. Possibly the changes have not propagated yet. It helps to use secedit
> > /refreshpolicy user_policy /enforce on a domain controller after implementing
changes
> > to user policy and on a XP Pro machine you will probably have to logon a couple
of
> > times before user policy will be propagated. You ran gpresult as the
administrator
> > which exists in the default users container in which case user policy will only
be
> > applied from the domain and local policies assuming loopback processing has not
been
> > enabled in the Plato OU. A user must be within the scope of influence of a user
> > configuration policy before policy will apply to them. So if you configure user
> > configuration in the Plato OU and loopback processing is not enabled, then the
user
> > account that you want the policy to apply to must be in the Plato OU. --- Steve
> >
> > "Sean" <sblenkhorn@hotmail.com> wrote in message
> > news:78c29a9f.0404031440.361be62d@posting.google.com...
> > > I read your post and the link... it seems like that would only be used
> > > in a situation where you want the policy for the computer object to be
> > > applied to ALL users who use this computer. In our situation we only
> > > want it applied to the students and not the teachers or other staff.
> > > I did a gpresult for the computer in the Lab OU and this is what I
> > > get....
> > >
> > >
> > > ----------------------------------------------------------------------------
> > > Microsoft Windows [Version 5.2.3790]
> > > (C) Copyright 1985-2003 Microsoft Corp.
> > >
> > > C:\Documents and Settings\Administrator>gpresult /S PO01A
> > >
> > > Microsoft (R) Windows (R) Operating System Group Policy Result tool
> > > v2.0
> > > Copyright (C) Microsoft Corp. 1981-2001
> > >
> > > Created On 4/3/2004 at 5:35:14 PM
> > >
> > >
> > > RSOP data for SCHOOL1\Administrator on PO01A : Logging Mode
> > > -----------------------------------------------------------------
> > >
> > > OS Type: Microsoft Windows XP Professional
> > > OS Configuration: Member Workstation
> > > OS Version: 5.1.2600
> > > Terminal Server Mode: Remote Administration
> > > Site Name: Nevada
> > > Roaming Profile:
> > > Local Profile: C:\Documents and
> > > Settings\administrator.SCHOOL1
> > > Connected over a slow link?: No
> > >
> > >
> > > COMPUTER SETTINGS
> > > ------------------
> > > CN=PO01A,OU=PLATO Lab,OU=Computers,OU=Nevada,DC=thisschools,DC=edu
> > > Last time Group Policy was applied: 4/3/2004 at 5:33:01 PM
> > > Group Policy was applied from: server1.thisschool.edu
> > > Group Policy slow link threshold: 500 kbps
> > > Domain Name: SCHOOL1
> > > Domain Type: Windows 2000
> > >
> > > Applied Group Policy Objects
> > > -----------------------------
> > > Default Domain Policy
> > >
> > > The following GPOs were not applied because they were filtered out
> > > -------------------------------------------------------------------
> > > Local Group Policy
> > > Filtering: Not Applied (Empty)
> > >
> > > PLATO Lab GPO
> > > Filtering: Not Applied (Empty)
> > >
> > > The computer is a part of the following security groups
> > > -------------------------------------------------------
> > > BUILTIN\Administrators
> > > Everyone
> > > BUILTIN\Users
> > > PO01A$
> > > Domain Computers
> > > NT AUTHORITY\NETWORK
> > > NT AUTHORITY\Authenticated Users
> > >
> > >
> > > USER SETTINGS
> > > --------------
> > > CN=Administrator,CN=Users,DC=thisschools,DC=edu
> > > Last time Group Policy was applied: 4/3/2004 at 5:29:34 PM
> > > Group Policy was applied from: server1.thisschool.edu
> > > Group Policy slow link threshold: 500 kbps
> > > Domain Name: SCHOOL1
> > > Domain Type: Windows 2000
> > >
> > > Applied Group Policy Objects
> > > -----------------------------
> > > Default Domain Policy
> > >
> > > The following GPOs were not applied because they were filtered out
> > > -------------------------------------------------------------------
> > > Local Group Policy
> > > Filtering: Not Applied (Empty)
> > >
> > > The user is a part of the following security groups
> > > ---------------------------------------------------
> > > Domain Users
> > > Everyone
> > > BUILTIN\Users
> > > BUILTIN\Administrators
> > > Schema Admins
> > > Domain Admins
> > > Group Policy Creator Owners
> > > Enterprise Admins
> > > LOCAL
> > > NT AUTHORITY\INTERACTIVE
> > > NT AUTHORITY\Authenticated Users
> > >
> > > C:\Documents and Settings\Administrator>
> > >
> > > ----------------------------------------------------------------------------
> > >
> > > The result, at least to me, is saying that the GPO is empty, yet it
> > > isn't. Is this the reason that I am not seeing the GPO take affect,
> > > because it hasn't been applied... and for what reasons would I get
> > > this result?
> > >
> > > Thanks for the help.
> > >
> > >
> > >
> > > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > news:<jGnbc.63349$JO3.38667@attbi_s04>...
> > > > Loopback processing could possibly work for you. Loopback processing is part
of
> > > > "computer configuration" and when applied to a computer the user policy in
the OU
> > > > that the computer is located in will apply to users logging onto the computer
in
> > > > either a replace or merge mode. See the link below for more information. --
> > Steve
> > > >
> > > >
http://support.microsoft.com/default.aspx?scid=kb;en-us;231287
> > > >
> > > > "Sean" <sblenkhorn@hotmail.com> wrote in message
> > > > news:78c29a9f.0404021625.23ab4c7d@posting.google.com...
> > > > > Ok, we are a school, we have two computer labs. I have setup an OU
> > > > > for all of our Students, and I have setup an OU for computers with OUs
> > > > > underneath it for the two labs; Lab1 and Lab2. It looks like this:
> > > > >
> > > > > -------------------------
> > > > > Domain
> > > > > |
> > > > > |-Students
> > > > > |
> > > > > |-Computers
> > > > > | |
> > > > > | |-Lab1
> > > > > | |
> > > > > | |-Lab2
> > > > > | |
> > > > > --------------------------
> > > > >
> > > > > Now what I want to accomplish is to setup a standard basic GPO for
> > > > > students, but then I want to have a GPO for the Lab computers that
> > > > > gives the user different access based on which lab they are in. If
> > > > > they are in lab1, they will not have access to local drives or my
> > > > > computer, while if they are in Lab2, they will have access to the
> > > > > floppy and cdrom, but not the c drive. I have the user gpo being
> > > > > applied, but I can't seem to get gpos applied for a user based on the
> > > > > machine they are logged into. Where do I create the GPO for the
> > > > > machines, what rights do I apply to it, etc??
> > > > >
> > > > > Any ideas would be GREATLY appreciated.
Facebook
Twitter
Instagram