GP security settings

  • Thread starter Thread starter Jordan
  • Start date Start date
J

Jordan

The default security settings on the domain GPs are:

Authenticated Users (Read, Apply)
Creator Owner (Null)
Domain Admin (Read, Write, Create, Delete)
Enterprise Admin (Read, Write, Create, Delete)
System (Read, Write, Create, Delete)

I have a couple of machines where I did not want one of the policies to go
to so I added the following for those machines:

Computer1$ (Deny Read, Deny Apply)
Computer2$ (Deny Read, Deny Apply)

This works great. Now my question is if I want to apply a policy to only a
couple of computers can I set the security for that policy as follows if I
only want Computer3 and Computer4 to have the policy:

Computer3$ (Read, Apply)
Computer4$ (Read, Apply)
System (Read, Write, Create, Delete)
and
Remove - Authenticated Users (Read, Apply)
Remove - Creator Owner (Null)
Remove - Domain Admin (Read, Write, Create, Delete)
Remove - Enterprise Admin (Read, Write, Create, Delete)

The way I am reading this is only the computers 3 and 4 will be able to
apply the policy but not to any other computer. This way I could do
something like this - In my general domain policy I could set the proxy
server settings, but on computer 3 and 4 where I don't want anyone to browse
from I can disable IE.

Does that sound right?
 
That sounds about right, but only remove the apply policy privilege from
everyone else. Do not remove the read, write, and create from Enterprise
Admin, or you won't be able to get back in and work with the policy once
you have it removed. However, if the only systems you give apply access
to are computer3 and computer4, you'll be okay.

HTH!
______________
Steve Athanas
MCSE (2003)
 
Back
Top