How do you apply Local GPO to certain group of ppl logged into the domain?

  • Thread starter Thread starter dude
  • Start date Start date
D

dude

I am configuring the Local GPO on one of the servers right now. The goal is
to apply the GPO locally on this machine only to people in a domain group
who logs on to this workstation into the domain. I am familiar with GPO and
how the permission is applied at the AD level. However, for the life of me
I can't seem to find a way to apply a local GPO to a specific person or
group of people. Can anyone shed some light on how to set permission for a
local GPO? Or is it even possible?

thank you.
 
Have you tried permissions on the GPO? Without read it probably won't work.

Usually this is done in AD with both Read and Apply Policy but using
DENY_READ
(or just not granting it) to the LGPO file might work just as well.

Please report your results.
 
Ehhh.. you missed my point. I want to know if there is a way to set
permission on local machine GPO, not GPOs in AD. I know what specific
permissions are needed in order to apply it.
 
Ehhh.. you missed my point. I want to know if there is a way to set
permission on local machine GPO, not GPOs in AD. I know what specific
permissions are needed in order to apply it.
Click to expand...

No, I understood and answered it explicitly; even comparing the problem
to the normal way you set this in AD and suggesting how you might use the
FILE SYSTEM to set an LGPO.

Re-read the response more carefully.
 
I don't think that there is a way. Permissions on AD GPOs are based on
permissions on the AD object. With no AD ie locally, the only
permissions that are available are NTFS permissions. I could be wrong,
but I don't think AD knows of local machine policies - otherwise they
would not work on isolated machines. Does that make sence? I'm not
100% sure.

Cheers,

Cliff
 
Permission on the file(s) -- as I told him -- are worth checking. See
above before you say it cannot be done.
 
Please note that I said "I don't *think* that there is a way." and
"I'm not 100% sure.". Both Ronnie and I missed your point about file
permissions.

By "the files". do you mean
%systemroot%\system32\GroupPolicy\Machine\Registry.pol and
%systemroot%\system32\GroupPolicy\User\Registry.pol.

Cheers,

Cliff
 
Back
Top