GP security settings

Toggle sidebar Toggle sidebar
J

Jordan

Distinguished
Apr 7, 2004
406
0
18,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

The default security settings on the domain GPs are:

Authenticated Users (Read, Apply)
Creator Owner (Null)
Domain Admin (Read, Write, Create, Delete)
Enterprise Admin (Read, Write, Create, Delete)
System (Read, Write, Create, Delete)

I have a couple of machines where I did not want one of the policies to go
to so I added the following for those machines:

Computer1$ (Deny Read, Deny Apply)
Computer2$ (Deny Read, Deny Apply)

This works great. Now my question is if I want to apply a policy to only a
couple of computers can I set the security for that policy as follows if I
only want Computer3 and Computer4 to have the policy:

Computer3$ (Read, Apply)
Computer4$ (Read, Apply)
System (Read, Write, Create, Delete)
and
Remove - Authenticated Users (Read, Apply)
Remove - Creator Owner (Null)
Remove - Domain Admin (Read, Write, Create, Delete)
Remove - Enterprise Admin (Read, Write, Create, Delete)

The way I am reading this is only the computers 3 and 4 will be able to
apply the policy but not to any other computer. This way I could do
something like this - In my general domain policy I could set the proxy
server settings, but on computer 3 and 4 where I don't want anyone to browse
from I can disable IE.

Does that sound right?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

That sounds about right, but only remove the apply policy privilege from
everyone else. Do not remove the read, write, and create from Enterprise
Admin, or you won't be able to get back in and work with the policy once
you have it removed. However, if the only systems you give apply access
to are computer3 and computer4, you'll be okay.

HTH!
______________
Steve Athanas
MCSE (2003)

Jordan wrote:
> The default security settings on the domain GPs are:
>
> Authenticated Users (Read, Apply)
> Creator Owner (Null)
> Domain Admin (Read, Write, Create, Delete)
> Enterprise Admin (Read, Write, Create, Delete)
> System (Read, Write, Create, Delete)
>
> I have a couple of machines where I did not want one of the policies to go
> to so I added the following for those machines:
>
> Computer1$ (Deny Read, Deny Apply)
> Computer2$ (Deny Read, Deny Apply)
>
> This works great. Now my question is if I want to apply a policy to only a
> couple of computers can I set the security for that policy as follows if I
> only want Computer3 and Computer4 to have the policy:
>
> Computer3$ (Read, Apply)
> Computer4$ (Read, Apply)
> System (Read, Write, Create, Delete)
> and
> Remove - Authenticated Users (Read, Apply)
> Remove - Creator Owner (Null)
> Remove - Domain Admin (Read, Write, Create, Delete)
> Remove - Enterprise Admin (Read, Write, Create, Delete)
>
> The way I am reading this is only the computers 3 and 4 will be able to
> apply the policy but not to any other computer. This way I could do
> something like this - In my general domain policy I could set the proxy
> server settings, but on computer 3 and 4 where I don't want anyone to browse
> from I can disable IE.
>
> Does that sound right?
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom