Applying Restricted Groups: machine/user

[Gregg]

First off this is using Win2003. We are trying to set the Local user
groups on our machines through group policy. I found out that you need
to assign the policy to workstations in order to do this (and link to
their OU). So if we link the Policies we have to the workstation OU we
made, and add in all the computers, then they all try to use the
Mahine/Computer section of the policy (some we lock out windows
installer, others need it, also SUS server, time server, etc). So is
out best bet to make a policy that only defines the Local groups? We
have about 800-1000 machines that will be on this domain (currently at
about 100 since we just started to migrate people), so it would be
difficult to assign certain machines and such. All workstations will
be using this, but we dont want to put it in the "Default Domain"
policy for fear of reaching the servers. Should I just set up a WMI
filter to say if it aint a server or user is a domain admin?

 

[Tim Springston \(MSFT\)]

Hi Gregg-

I would suggest using one policy and link it where needed. Your best bet
may be to create a Workstations OU and move those machines into it. Once
they are moved into the Workstations OU , you can add the workstations to a
security group (call it something like Allow Local Group GPO Group). Then,
in the Properties of that GPO (AD Users and Computers->OU Properties->Group
Policy folder tab->GPO Properties), add Allow for Read and Apply Group
Policy for the Allow Local Group GPO Group. When adding a workstation to
your domain, just give it membership to the Allow Local Group GPO Group
security group so they can process that policy.

If that doesn't meet your needs, and if you want all of the machines to be
in the same OU and some of them in that OU to NOT get the policy, then an
alternative would be to put a Deny Read or Deny Apply Group Policy on the
Security settings of the GPO for the machines that you do not want to have
processing the local settings policy. To simplify that you could put those
'Deny' machines in a security group (maybe call it Deny Local Group GPO
Group) and use that for the security settings on that GPO.

I would be cautious about the 'Deny' route (though it's possible). If you
have multiple group policies processing for those 'Deny ' machines you can
run into problems processing ones that come after the Deny security settings
one. This can usually be tweaked, but can by an extra wrinkle.

Let me know if I've misunderstood your goals, and if we can help.