Different group, different active directory group policy

G

Guest

I have done this once, and it somewhat worked. Okay.
I first kept the default group policy, which is rather liberal. I assign
this one to the normal system users. I want another group policy, which
contains entries for custom user interface, and an otherwise locked down
system. I loaded up the dsa.msc program, right-clicked properties, clicked
the group policy tab. I added the user group to which the strict policy was
to be applied. This user group is "family" and has two members. My own user
account is not a member of this group. It is a member of the domain users
group, which is supposed to obtain the default domain policy. However, when
logging in with my account, the strict group policy is applied.

Any ideas how to do this? One group has one policy assigned, the other
group has a different policy assigned. Neither group is to obtain values
from either groups policy.
 
R

Roger Abell [MVP]

I have done this once, and it somewhat worked. Okay.
I first kept the default group policy, which is rather liberal. I assign
this one to the normal system users. I want another group policy, which
contains entries for custom user interface, and an otherwise locked down
system. I loaded up the dsa.msc program, right-clicked properties,
clicked
the group policy tab. I added the user group to which the strict policy
was
to be applied. This user group is "family" and has two members. My own
user
Click to expand...

Did you also remove the Read/Apply for Authenticated Users ??
(which includes all accounts)
account is not a member of this group. It is a member of the domain users
group, which is supposed to obtain the default domain policy. However,
when
logging in with my account, the strict group policy is applied.

Any ideas how to do this? One group has one policy assigned, the other
group has a different policy assigned. Neither group is to obtain values
from either groups policy.
Click to expand...

Normally, security group filtering is a second choice way to do this, and
also, normally the other GPOs are left in place applying to all accounts,
and then the GPO with different settings that are to apply to only some
accounts is used to overwrite the settings from the baseline all accounts
policies.
Instead of using security group filtering, make an OU for the accounts
that are to receive the "special" settings and move those accounts into
that OU. Then link the special settings GPO to that OU. This way you
do not need to deal with the security settings on the GPO, just move
accounts into the OU and you can leave the GPO set to apply to
Authenticated Users (which then means all accounts in the OU)
 
G

Guest

Yes, that seems to be a way better approach.
On the group policy for the OU i make, would it make
sense to click "block policy inheritance" and "prevent overiding"
so that the default domain policy never applies to this OU?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Incorrect GPResult result 3
local security policy does not get applied 2
Group Policy for Terminal Server not working 2
Group Policy Pains 7
group policy "User Settings" ignored 4
folder permissions using group policy 1
Group Policy Update 7
Using Group Policy to define a Password Policy 1

Top