Workstation LockDown

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a workstation that needs to be completely locked down to all users. However, one application should be available on this workstation. In addition, users should have typical access to all other computers on the network. Lastly, administrator should still be able to have full access to this workstation. I have attempted to create the GPO within an OU and Apply the GPO to the workstation, however the GPO only affects users within that OU and not the workstation on the access list. What am I doing wrong?

Thanks
 
Hi Kathy,

A GPO is logically made up of two sections - Computer Configuration and User
Configuration. Settings under Computer Configuration affect computer
accounts the GPO applies to and are applied at startup (and then refreshed
periodically). Settings under User Configuration affect user accounts the
GPO applies to and are applied at logon (and then refreshed periodically).

The Computer Configuration section of Group Policy is always pulled based on
the computer account's location in the directory. Additionally, the default
behavior is to pull the User Configuration section of Group Policy based on
the user account's location in the directory. (e.g. half of the Group Policy
settings may come from one set of GPOs whereas the other half come from a
totally different set of GPOs)

This default behavior can be changed by using a feature called loopback
processing. When using loopback processing, the User Configuration portion
of Group Policy is pulled based on the computer account's location in the
directory. Depending on which setting you choose, the GPO settings for User
Configuration based on the location of the computer account can either be
merged with or totally replace the GPO settings for User Configuration based
on the location of the user account (that's a mouth full - let me know if
its unclear). Here is a support article that describes loopback processing
and how to enable it:

http://support.microsoft.com/default.aspx?scid=231287

Mike

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.


KathyG said:
I have a workstation that needs to be completely locked down to all users.
Click to expand...
However, one application should be available on this workstation. In
addition, users should have typical access to all other computers on the
network. Lastly, administrator should still be able to have full access to
this workstation. I have attempted to create the GPO within an OU and Apply
the GPO to the workstation, however the GPO only affects users within that
OU and not the workstation on the access list. What am I doing wrong?
 
Back
Top