I have done this once, and it somewhat worked. Okay.
I first kept the default group policy, which is rather liberal. I assign
this one to the normal system users. I want another group policy, which
contains entries for custom user interface, and an otherwise locked down
system. I loaded up the dsa.msc program, right-clicked properties, clicked
the group policy tab. I added the user group to which the strict policy was
to be applied. This user group is "family" and has two members. My own user
account is not a member of this group. It is a member of the domain users
group, which is supposed to obtain the default domain policy. However, when
logging in with my account, the strict group policy is applied.

Any ideas how to do this? One group has one policy assigned, the other
group has a different policy assigned. Neither group is to obtain values
from either groups policy.

<(E-Mail Removed)> wrote in message
news:B640DAC1-5462-4302-BD7F-(E-Mail Removed)...
>I have done this once, and it somewhat worked. Okay.
> I first kept the default group policy, which is rather liberal. I assign
> this one to the normal system users. I want another group policy, which
> contains entries for custom user interface, and an otherwise locked down
> system. I loaded up the dsa.msc program, right-clicked properties,
> clicked
> the group policy tab. I added the user group to which the strict policy
> was
> to be applied. This user group is "family" and has two members. My own
> user

Did you also remove the Read/Apply for Authenticated Users ??
(which includes all accounts)

> account is not a member of this group. It is a member of the domain users
> group, which is supposed to obtain the default domain policy. However,
> when
> logging in with my account, the strict group policy is applied.
>
> Any ideas how to do this? One group has one policy assigned, the other
> group has a different policy assigned. Neither group is to obtain values
> from either groups policy.
>

Normally, security group filtering is a second choice way to do this, and
also, normally the other GPOs are left in place applying to all accounts,
and then the GPO with different settings that are to apply to only some
accounts is used to overwrite the settings from the baseline all accounts
policies.
Instead of using security group filtering, make an OU for the accounts
that are to receive the "special" settings and move those accounts into
that OU. Then link the special settings GPO to that OU. This way you
do not need to deal with the security settings on the GPO, just move
accounts into the OU and you can leave the GPO set to apply to
Authenticated Users (which then means all accounts in the OU)

Yes, that seems to be a way better approach.
On the group policy for the OU i make, would it make
sense to click "block policy inheritance" and "prevent overiding"
so that the default domain policy never applies to this OU?




"Roger Abell [MVP]" wrote:

> <(E-Mail Removed)> wrote in message
> news:B640DAC1-5462-4302-BD7F-(E-Mail Removed)...
> >I have done this once, and it somewhat worked. Okay.
> > I first kept the default group policy, which is rather liberal. I assign
> > this one to the normal system users. I want another group policy, which
> > contains entries for custom user interface, and an otherwise locked down
> > system. I loaded up the dsa.msc program, right-clicked properties,
> > clicked
> > the group policy tab. I added the user group to which the strict policy
> > was
> > to be applied. This user group is "family" and has two members. My own
> > user
>
> Did you also remove the Read/Apply for Authenticated Users ??
> (which includes all accounts)
>
> > account is not a member of this group. It is a member of the domain users
> > group, which is supposed to obtain the default domain policy. However,
> > when
> > logging in with my account, the strict group policy is applied.
> >
> > Any ideas how to do this? One group has one policy assigned, the other
> > group has a different policy assigned. Neither group is to obtain values
> > from either groups policy.
> >
>
> Normally, security group filtering is a second choice way to do this, and
> also, normally the other GPOs are left in place applying to all accounts,
> and then the GPO with different settings that are to apply to only some
> accounts is used to overwrite the settings from the baseline all accounts
> policies.
> Instead of using security group filtering, make an OU for the accounts
> that are to receive the "special" settings and move those accounts into
> that OU. Then link the special settings GPO to that OU. This way you
> do not need to deal with the security settings on the GPO, just move
> accounts into the OU and you can leave the GPO set to apply to
> Authenticated Users (which then means all accounts in the OU)
>
>
>