GPO only for admins

J

Jose Luis

Hello everybody,

Actually I have some policies in may domain with a hight level of
restriction because we have a lot of users in Citrix environment and I
would like to create a new policy only for administrator for deny some
policies (ie. Add, Delete programs, change registry, etc...)

The Default Policy Domain has "Authenticated users" and the
Administrators are "Authentecated users" too.

If I try out "Authentecated users" and only put "Domain Admins." the
policy doesn't work.

Any idea?

Thanks.
Jose Luis.
 
P

PScyime via WinServerKB.com

Hi

Do you mean using security filtering in the GPO or putting domain admins in a
particular OU and linking the policy there?

Have you run RSoP and GPresult,Gpupdate to see IF the policy is applied and
over written or just no t applied etc etc

Try creating a new GPO not editing the default domain policy .....same result?


Regards

S
 
J

Jose Luis

Thank you for your answer.

Answering your questions:

The policies are for computers and not for users and I need to include
"Autenticated Users" in the policies because if I do not included this
users in the policy it is denied automatically and how the
Administrator. If I only inculded in the policy only "Domains Admins."
it is denied automatically.

Ie.
GPO 1 - "Autenticated Users" policy apply - Is running for all users.
GPO 2 - "Domain Admins" policy apply - Is denied for Admins.
GPO 3 - "Autenticated Users" deny and "Domain Users" aply - Is deny for
Admins

In the GPResult is denied.

Rgds,
Jose Luis.
If I create a new policy the result is the same.
 
B

Bruce Sanderson

In all security settings, Deny always takes precedence over any Allow
setting, so denying "Authenticated Users" means Allow Domain Users will be
ignored, since all Domain Users are automatically an "Authenticated User".

Computer Configuration settings are always applied to computers regardless
of who logs on.

User Configuration settings are applied to Users, not computers.

Please see http://support.microsoft.com/?kbid=231287 for how to use loopback
processing to have specific User Configuration settings applied when users
log on to particular computers. See Method 2 in
http://support.microsoft.com/?kbid=260370 for how to use loopback processing
for this purpose specifically for Terminal/Citrix servers.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GPO for user not applied 9
New GPO are failing 4
Do Not Execute Group Policy for Admins Group 1
Loopback replace mode 3
GPO not applying to OU 1
\\servername\share logon failure for domain admins 1
Help! Group policy restricts Admins 3
Software restriction policy 1

Top