How do I prohibit AD user GP's from affecting certain PC's and not others?

By tonnyvang ·
I work at a high school and our student accounts have a GP that locks down XP machines that students logon to. The GP is linked to the user accounts OU. However, there are a few specialty machines that students need more or full access to, i.e. Yearbook designated computers. I was wondering if there is a way for me to do this with either GP or through the local policy on the PC's itself. Any help would be greatly appreciated.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Apply to the Computer Objects

by Churdoo In reply to How do I prohibit AD user ...

Create OU's for the different categories of Computers, move the computer objects into the new OU's accordingly, and create/link GP's to the new OU's as applicable.

Collapse -

Link GP to Computer OU instead?

by tonnyvang In reply to Apply to the Computer Obj ...

Are you saying that instead of linking the GP to the OU's containing the user accounts, I should link them to the OU's containing the Computers? Would it still lock the computer when users log on? Or would I have to edit the settings in the computers section of the GP itself? Thanks for your help.

Collapse -

I need to lock down PC's

by tonnyvang In reply to Apply to the Computer Obj ...

Here's the deal, in the Computer Config of GP, I don't get as many settings to lock down the computer as I would in User Configuration. i.e. locking down windows exporer and the c drive, taking items off the start menu....if anyone's got a clue, let me know.

Collapse -

Still use User Configuration settings

by Churdoo In reply to I need to lock down PC's

You can still use the User Configuration settings of a GP that's applied to computer objects. The settings are applied to all users that log into those computers.

Note: A GP that's applied to a computer object will ALSO apply to Administrators logging to the computer, unless you modify the permissions of the GP object (deny Administrators access to the GPO for example, and then the settings will not be applied to Administrators that log onto the computer)

Collapse -

Combination of User and Computer GPOs

by CG IT In reply to I need to lock down PC's

both GPOs linked to a user OU and a computer OU can be processed on a particular computer . You can have a couple of GPOs linked to a particular OU and each will be processed in the particular way you specify.

The downside is as with more complexity comes more effort in administration and troubleshooting should a problem arise AND more importantly other network administrators being able to understand what' you've created. Another downside is logon times. With more GPOs and more complexity, logon times suffer due to GPO processing.

Collapse -


by animatech In reply to How do I prohibit AD user ...

Create an OU for this computers.
Put the PC's in the OU or create a group and assign computer objects to it.
Apply a costume GP to that OU.

Collapse -

You could...

by NaughtyMonkey In reply to How do I prohibit AD user ...

create a user account for those that need more access.

I am assuming they don't each have an account, but share a student account as in most schools around here.

This way you can create an OU with that user in it and apply the GPO to it. This way computer settings will remain the same since you only want to change user settings.

It really depends on what you think will require less effort to create and maintain. It could go either way.

Related Discussions

Related Forums