Q

How can I restrict rights for a group of users on a specific OU of computers, but not on any compute

Expert Jeremy Moskowitz shows a reader how to use loopback policy processing to restrict rights for a group of users on a specific OU of computers.

How can I restrict rights for a group of users on a specific OU of computers, but not on any computers outside of that OU?

In other words, I don't want this set of users to see the floppy drive, be able to right click, open calculator, etc., when they are using any of the machines within the OU, BUT have full access rights when they are using machines outside of the OU in Group Policy. All the machines and users are in the same domain. Essentially, is it possible to have a GPO that restricts user rights extensively) apply to a group/OU of users only when...

they login to a specific group/OU of machines?

This sounds like a classic case for using loopback policy processing. As you know, the users are getting the policies which apply to their user accounts based on where they are in Active Directory, and likewise for machines. Loopback means that you can get a machine to process policies which have user settings and apply these to users which log on to them, even though that user policy may not be linked to where the real user account is. This is perfect for things like internet kiosk machines or terminal servers which typically need very specific settings that you don't want to apply to your users normally.

So how do you set it up?

Create and link a policy to the OU where the machines are and edit it. Under Administrative TemplatesSystemGroup Policy, you want to configure the setting for "User Group Policy loopback processing mode." You need to choose a mode -- "replace" will ignore all the user's own settings and only use those settings which are in scope for the machine (so linked to your special OU), whereas "merge" will use both, and the machine's looped-back user settings will take precedence in the case of any conflict.

So here we are setting a group policy to tell Group Policy how to function. You can set the user settings you want in this same policy to keep it all together, or link specific user policies to the OU in the normal way.

This was first published in September 2006

Dig deeper on Microsoft Active Directory Design and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close