How do you apply Local GPO to certain group of ppl logged into the domain?

D

dude

I am configuring the Local GPO on one of the servers right now. The goal is
to apply the GPO locally on this machine only to people in a domain group
who logs on to this workstation into the domain. I am familiar with GPO and
how the permission is applied at the AD level. However, for the life of me
I can't seem to find a way to apply a local GPO to a specific person or
group of people. Can anyone shed some light on how to set permission for a
local GPO? Or is it even possible?

thank you.
 
H

Herb Martin

Have you tried permissions on the GPO? Without read it probably won't work.

Usually this is done in AD with both Read and Apply Policy but using
DENY_READ
(or just not granting it) to the LGPO file might work just as well.

Please report your results.
 
D

Dude

Ehhh.. you missed my point. I want to know if there is a way to set
permission on local machine GPO, not GPOs in AD. I know what specific
permissions are needed in order to apply it.
 
H

Herb Martin

Ehhh.. you missed my point. I want to know if there is a way to set
permission on local machine GPO, not GPOs in AD. I know what specific
permissions are needed in order to apply it.
Click to expand...

No, I understood and answered it explicitly; even comparing the problem
to the normal way you set this in AD and suggesting how you might use the
FILE SYSTEM to set an LGPO.

Re-read the response more carefully.
 
E

Enkidu

I don't think that there is a way. Permissions on AD GPOs are based on
permissions on the AD object. With no AD ie locally, the only
permissions that are available are NTFS permissions. I could be wrong,
but I don't think AD knows of local machine policies - otherwise they
would not work on isolated machines. Does that make sence? I'm not
100% sure.

Cheers,

Cliff
 
H

Herb Martin

Permission on the file(s) -- as I told him -- are worth checking. See
above before you say it cannot be done.
 
E

Enkidu

Please note that I said "I don't *think* that there is a way." and
"I'm not 100% sure.". Both Ronnie and I missed your point about file
permissions.

By "the files". do you mean
%systemroot%\system32\GroupPolicy\Machine\Registry.pol and
%systemroot%\system32\GroupPolicy\User\Registry.pol.

Cheers,

Cliff
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local Machine vs. Domain Group Policy 11
GPO apply to Universal Group ? 6
Don't want to apply a GPO to certain group members 2
Disable network bridge by GPO 1
How do I edit a Domain GPO from a workstation? 2
GPO not applied - migration from ldap to AD 4
GPO: apply logon/off scripts changing the registry on non-admin us 2
Adding Domain Users group to local Power Users 1

Top