General discussion


Group Policy cumulative effect testing

By jimmy ·
I am looking for the best way to test or calculate the cumulative effect of overlapping policies. I am about to setup group policies on a network that is mostly (about 2/3) win98 systems. The desire is to lock down all of the users, with an occasional exception on specific XP based systems on the network. What I would like to do, but do not know how is to set a user policy to lock them down, but have a machine policy that will override the user policy and let the restrictions be lifted when needed, but only on certain machines, not on the user for just any machine. Can anyone offer me some guidance or recommend a location where I can find some guidance on this?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Group Policy cumulative effect testing

by DC1 In reply to Group Policy cumulative e ...

First problem I see is 2/3 of your network PC's are Win98 and Group Policies only work on Windows 2000 or better machines. For your XP desktops Microsoft there is local MMC for Resultant Set of Policies which will tell you what policies are effecting the local machine and a user account. There is a network version of Resultant Set of Policy but you need Windows Server 2003.

Collapse -

Group Policy cumulative effect testing

by jimmy In reply to Group Policy cumulative e ...

This is the first time that I have attempted to setup multiple policies that will need to overlap and offset or interact with each other. I realize that having that many 98 machines is a problem, but this is for a small school district and they arevery budget limited. I know (or think that I do) that we can use policy rules applied to the user account to somewhat regulate the 98 machines when they are logged in to the network. If the students do not log into the network then there will be no policy used. The goal is to set this up so that if one of the computer labs needs to have access to the floppy drive for class this week, then they can go in and allow access to their OU which will contain the computer accounts for their XP systems. All the labs are 100% XP Pro systems. What I was told by someone who is less sure of this info than I am (and that is very scary) is that they thought there was some way to specify which policy has priority over other policies. If this is true,then we can set a very restrictive policy applied to the OU containing the USER Accounts, and then have a seperate policy that applied to the OU for the Labs and loosen the lab policy when desired and this would override the user policy and lessen the restrictions on the XP systems in the lab, but everywhere else the user would still be locked down (in theory). I hope this helps clarify what I am looking to do. Thanks for any input.

Related Discussions

Related Forums