Archived from groups: microsoft.public.win2000.group_policy (More info?)
The default security settings on the domain GPs are:
Authenticated Users (Read, Apply)
Creator Owner (Null)
Domain Admin (Read, Write, Create, Delete)
Enterprise Admin (Read, Write, Create, Delete)
System (Read, Write, Create, Delete)
I have a couple of machines where I did not want one of the policies to go
to so I added the following for those machines:
Computer1$ (Deny Read, Deny Apply)
Computer2$ (Deny Read, Deny Apply)
This works great. Now my question is if I want to apply a policy to only a
couple of computers can I set the security for that policy as follows if I
only want Computer3 and Computer4 to have the policy:
Computer3$ (Read, Apply)
Computer4$ (Read, Apply)
System (Read, Write, Create, Delete)
and
Remove - Authenticated Users (Read, Apply)
Remove - Creator Owner (Null)
Remove - Domain Admin (Read, Write, Create, Delete)
Remove - Enterprise Admin (Read, Write, Create, Delete)
The way I am reading this is only the computers 3 and 4 will be able to
apply the policy but not to any other computer. This way I could do
something like this - In my general domain policy I could set the proxy
server settings, but on computer 3 and 4 where I don't want anyone to browse
from I can disable IE.
Does that sound right?
The default security settings on the domain GPs are:
Authenticated Users (Read, Apply)
Creator Owner (Null)
Domain Admin (Read, Write, Create, Delete)
Enterprise Admin (Read, Write, Create, Delete)
System (Read, Write, Create, Delete)
I have a couple of machines where I did not want one of the policies to go
to so I added the following for those machines:
Computer1$ (Deny Read, Deny Apply)
Computer2$ (Deny Read, Deny Apply)
This works great. Now my question is if I want to apply a policy to only a
couple of computers can I set the security for that policy as follows if I
only want Computer3 and Computer4 to have the policy:
Computer3$ (Read, Apply)
Computer4$ (Read, Apply)
System (Read, Write, Create, Delete)
and
Remove - Authenticated Users (Read, Apply)
Remove - Creator Owner (Null)
Remove - Domain Admin (Read, Write, Create, Delete)
Remove - Enterprise Admin (Read, Write, Create, Delete)
The way I am reading this is only the computers 3 and 4 will be able to
apply the policy but not to any other computer. This way I could do
something like this - In my general domain policy I could set the proxy
server settings, but on computer 3 and 4 where I don't want anyone to browse
from I can disable IE.
Does that sound right?