Group Policy help

  • Thread starter Thread starter itraiul
  • Start date Start date
I

itraiul

I need to develop a group policy for a specific set of
computer applying a certain user configuration for only
for certain group, when thay logon to this group of PCs

Thanks in Advance
 
Here ya go:

1. In active directory create as many groups as you need to place the
various
people into. Later you will use these groups to specify who gets what
policy. The
users must be in groups, not Organizational Units. If your users are already
in
Organizational Units, that is alright. You can leave them in there as well.
Either
way, they must be in groups. If you must create a new group, then on a
domain
controller open Active Directory Users and computers. Next, right click the
Domain,
click New, and click Group.

Note: Make certain that Administrators or anyone else that should have
higher level
permissions is NOT in one of these groups. Only those who will have special
policy
applied on the computers should be added to these groups. Add no OUs to the
groups. Add the people directly.

2. Create a new Orgainizational Unit (OU) in Active Directory. On a domain
controller open Active Directory Users and computers.
Right click the Domain, click New, and click Organizational Unit.

3. Name the new OU as desired.

4. Place only the computers into that Organizational Unit (OU). Place
no users into that OU.

5. Right click the new OU and click Properties.

6. On the Group Policy tab click New. Name the new policy to be the same as
one of
the groups.

7. While highlighting the new Policy, click the Properties button. There you
see
the policy properties.

8. Go to the Security tab and make the following changes:

a. Add the one group you wish to apply this policy to. Click Add and click
the
group from the list.
b. Make certain to remove Authenticated Users. Click Authenticated Users and
click
remove.
c. Click the group you added there and make certain that Read and Apply
Group
policy are checked.
d. Make certain that Admins and system have only Read, Write, Create, and
Delete.
They should NOT have Apply Group Policy nor Full Control.
e. Next, click Add and add the accounts for the Computers to the policy.
Make certain it has
Read and Apply Group Policy. The computers and the group should be the only
ones to
have Apply Group Policy permission. Apply group policy permission determines
to
whom the policy will apply. It is also needed for the computers.

9. Click OK on the Security tab. This returns you to properties of the OU.

10. Highlight the Policy again and click Edit.

11. Go to Computer Configuration, Administrative Templates, System, and
Group
Policy.

12. On the right double click User Group Policy loopback processing mode.

13. Click Enabled and set Mode to Replace. This ensures that any other group
policies in the domain are not applied. Only this policy would apply to the
couputers for the group with Apply Permissions.

14. Click OK.

15. At this point, you can set other options as you need for this particular
group
policy.

When you are done with this one, you can return to the properties of the OU,
go to
the Properties tab, click Add, and create another group policy for another
group
you have created. You would then once again follow steps 6-15.

Note: It is recommended that you do this in a test environment with just two
groups
and two policies. Also make only a few specific changes to the policies. Try
these
out to familarize yourself with how it works.

Once again, it is important that only the group for that policy and the
computers themselves have Apply permissions for each policy, and also that
loopback is enabled for each policy.


--Shawn
This posting is provided "AS IS" with no warranties and confers no rights.
 
Back
Top