mandatory profiles on one OU

Tony

Distinguished
Aug 5, 2001
1,944
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I got users with ther own desktops that I do not want use mandatory
profiles. They are their own admin of their own computer and they can do
what they want.

but I also want them to be able to log into to machine in a different OU
that I want everything locked down, not able to save to my docs, desktops
etc so I want to to mandatory profile.

What do you suggest I do? I dont want to set a mandatory path in their user
properties do i?

thanks
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

A good way to do this is using Loopback-replace. Create a GPO in the
locked-down OU that uses folder redirection or one of the other Group
Policy settings to lock down the features you wish. Then, turn on
Loopback-replace mode for that GPO.

This way, when a user from another OU logs onto a machine in the locked
down OU, his GP settings will be discarded, and the machine will
process the GPOs from the locked down OU as if they were the user's
GPOs. This will allow you to lock down all the machines in one OU, and
let the users keep their freedom in their OU.

Hope it helps,
-Colin
 

Tony

Distinguished
Aug 5, 2001
1,944
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi

but to use mandatory profiles, doesnt that need to be specidifed in the
profile tab? noty from gpo
"Colin Torretta [MSFT]" <ctorretta@gmail.com> wrote in message
news:1109278338.839299.192020@g14g2000cwa.googlegroups.com...
>A good way to do this is using Loopback-replace. Create a GPO in the
> locked-down OU that uses folder redirection or one of the other Group
> Policy settings to lock down the features you wish. Then, turn on
> Loopback-replace mode for that GPO.
>
> This way, when a user from another OU logs onto a machine in the locked
> down OU, his GP settings will be discarded, and the machine will
> process the GPOs from the locked down OU as if they were the user's
> GPOs. This will allow you to lock down all the machines in one OU, and
> let the users keep their freedom in their OU.
>
> Hope it helps,
> -Colin
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

"tony" wrote:
> Hi
>
> but to use mandatory profiles, doesnt that need to be
> specidifed in the
> profile tab? noty from gpo
> "Colin Torretta [MSFT]" <ctorretta@gmail.com> wrote in message
>
> news:1109278338.839299.192020@g14g2000cwa.googlegroups.com...
> >A good way to do this is using Loopback-replace. Create a GPO
> in the
> > locked-down OU that uses folder redirection or one of the
> other Group
> > Policy settings to lock down the features you wish. Then,
> turn on
> > Loopback-replace mode for that GPO.
> >
> > This way, when a user from another OU logs onto a machine in
> the locked
> > down OU, his GP settings will be discarded, and the machine
> will
> > process the GPOs from the locked down OU as if they were the
> user's
> > GPOs. This will allow you to lock down all the machines in
> one OU, and
> > let the users keep their freedom in their OU.
> >
> > Hope it helps,
> > -Colin
> >

Hi,

Rather than Mandatory Profiles (which do need to be per user) you can
just Secure everything down tight with Group Policy. You can even do
folder redirection for the profile on that one machine. You need to
enable Loopback (with replace) on the Machine Section of the GPO on
the OU with the Machine in it and then put all the tight settings in
the User section.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-mandatory-profiles-OU-ftopict269887.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=856332
 

Tony

Distinguished
Aug 5, 2001
1,944
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I just dont see how a user can log and not save anything on the desktop or
their local profile. I am basically trying to avoid creating profiles on the
local machine.


"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:4223faa4$1_2@alt.athenanews.com...
> "tony" wrote:
> > Hi
> >
> > but to use mandatory profiles, doesnt that need to be
> > specidifed in the
> > profile tab? noty from gpo
> > "Colin Torretta [MSFT]" <ctorretta@gmail.com> wrote in message
> >
> > news:1109278338.839299.192020@g14g2000cwa.googlegroups.com...
> > >A good way to do this is using Loopback-replace. Create a GPO
> > in the
> > > locked-down OU that uses folder redirection or one of the
> > other Group
> > > Policy settings to lock down the features you wish. Then,
> > turn on
> > > Loopback-replace mode for that GPO.
> > >
> > > This way, when a user from another OU logs onto a machine in
> > the locked
> > > down OU, his GP settings will be discarded, and the machine
> > will
> > > process the GPOs from the locked down OU as if they were the
> > user's
> > > GPOs. This will allow you to lock down all the machines in
> > one OU, and
> > > let the users keep their freedom in their OU.
> > >
> > > Hope it helps,
> > > -Colin
> > >
>
> Hi,
>
> Rather than Mandatory Profiles (which do need to be per user) you can
> just Secure everything down tight with Group Policy. You can even do
> folder redirection for the profile on that one machine. You need to
> enable Loopback (with replace) on the Machine Section of the GPO on
> the OU with the Machine in it and then put all the tight settings in
> the User section.
>
> Cheers,
>
> Lara
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Group-Policy-mandatory-profiles-OU-ftopict269887.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=856332
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

>I just dont see how a user can log and not save anything on the
>desktop or their local profile. I am basically trying to avoid
>creating profiles on the local machine.

If you don’t want to use Roaming profiles, then the local profile will
always be created regardless.

If you use Folder Redirection and redirect the desktop folder to a
"read only" folder on the Server. This will prevent them saving to
their desktops.

Cheers,

Lara