Software Restrictions not working!

  • Thread starter Thread starter Giacomo
  • Start date Start date
G

Giacomo

I've successfully applied a policy that disallows people
from using MSN MESSENGER. The Org structure is as follows.
Org Unit=SoftwareRestrictions ----> Org Unit= MsnRemove.
In the MsnRemove Org Unit I have a group GR-MSNOFF whereby
everyone that should be restricted are located. For some
strange reason THAT GROUP never gets it's policy to work
but when I let's say just add or move a user in the ORG
UNIT=MsnRemove that user gets the policy applied to
him/her. So basically my MSN removal policy works on an
individual user located in the org unit and not working
with a group within the same Org Unit. Anyone know of a
possible way to get around this?

tks

Giacomo
 
Hi Giacomo,

This is normal behavior. The Computer Configuration section of Group Policy
is always pulled based on the computer account's location in the directory.
Additionally, the default behavior is to pull the User Configuration section
of Group Policy based on the user account's location in the directory.

If you would like a GPO to only apply to a specific group of users you need
to use security filtering. Here are some links that contain info on what
security filtering is and how to set it up:

http://msdn.microsoft.com/library/en-us/policy/policy/filtering_the_scope_of_a_gpo.asp

http://support.microsoft.com/default.aspx?scid=kb;en-us;322176

You would basically use the following steps:

- Create a new GPO and apply it at a high level so it will apply to all user
accounts (such as at the domain level)
- Remove the allow "Apply Group Policy" permission from the Authenticated
users group (but, do not deny)
- Add the "GR-MSNOFF" group and allow the Read and the Apply Group
Policy permissions
- Configure the software restrictions in the GPO

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top