Alan, I did look in the user configuration, and most of the settings are available there as well.
Thanks for the help. :) On 2/16/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Joni, > > As you said, when the machine boots it gets the machine policy applied, and > you want to back it out when the User logs on, which is pretty much a tall > idea! I have never heard of such a function and to be honest would think it > to be "impossible", unless of course the machine could predict who was going > to logon... :-). > > The closest I could think of doing it would be to fudge it. That is > (somehow) stop the machine policy applying at Machine boot up, then getting > the user to run the Machine policy via GPUPDATE target:machine when they > logon. Of course you then only have the option of not running the machine > policy when the Admin user logs on, which is different to "undoing the > policy settings that the previous user applied to the machine" > > Can I ask why you would want to do this? You mention the case of "disable > adding tasks to task scheduler". I don't specifically know this policy, but > where is it and I would have guessed Microsoft would have given you an > equivalent User based policy to achieve what you want. One way that you may > be able to achieve what you want (just in this case) would be for the admin > to run a script at logon to delete the machine registry key that was created > by the machine policy. Of course it will come back when the machine policy > runs again. > > Alan Cuthbertson > > > Policy Management Software:- > http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml > ADM Template Editor:- > http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml > Policy Log Reporter(Free) > http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml > > > > ----- Original Message ----- > From: "Umer Y." <[EMAIL PROTECTED]> > To: <ActiveDir@mail.activedir.org> > Sent: Saturday, February 11, 2006 1:55 PM > Subject: RE: [ActiveDir] Computer Policies based on User Logon? > > > > If it was user policies, then it wouldn't be a problem. But these are > > settings in computer configuration which applies before the user logs on, > > but instead I need them to apply based on the user who logs on. > > > > Hope that simplifies my question. > > > > > > > > ... you don't know what you've got 'till it's gone.. > > > > - Joni Mitchell > > > > > > From: <[EMAIL PROTECTED]> > > Reply-To: ActiveDir@mail.activedir.org > > To: <ActiveDir@mail.activedir.org> > > Subject: RE: [ActiveDir] Computer Policies based on User Logon? > > Date: Fri, 10 Feb 2006 18:27:57 -0800 > > > > define your policies in the "User Configuration" and deny this user access > > to > > the policies. > > > > > > Sincerely, > > > > Dèjì Akómöláfé, MCSE+M MCSA+M MCT > > Microsoft MVP - Directory Services > > www.readymaids.com - we know IT > > www.akomolafe.com > > Do you now realize that Today is the Tomorrow you were worried about > > Yesterday? -anon > > > > ________________________________ > > > > From: [EMAIL PROTECTED] on behalf of Umer Y. > > Sent: Fri 2/10/2006 6:21 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Computer Policies based on User Logon? > > > > > > > > Thanks for responding Nuo. Loopback policy will merge/replace the logging > > on > > user's "User Configuration" with its "User Configuration". > > > > That is the opposite of what I am trying to achieve here. Is there way to > > apply the logging on user's "Computer Configuration" over machines > > "Computer > > Configuration" perhaps? > > > > > > > > > > ... you don't know what you've got 'till it's gone.. > > > > - Joni Mitchell > > > > > > From: "Nuo Yan" <[EMAIL PROTECTED]> > > Reply-To: ActiveDir@mail.activedir.org > > To: <ActiveDir@mail.activedir.org> > > Subject: RE: [ActiveDir] Computer Policies based on User Logon? > > Date: Fri, 10 Feb 2006 17:18:54 -0800 > > > > You may want to change the policy processing preferences so that you need > > the "User Group Policy loopback processing mode" policy configured. > > > > You can find this policy under Computer Configuration\Administrative > > Templates\System\Group Policy folder. > > > > There will be two options: Replace and Merge. > > > > Replace - The user settings in the computer's GPOs replace the user > > settings > > applied to the user. > > > > Merge - combine the user settings in computer's GPOs and User's GPOs. If > > conflict, user settings in computer's GPOs take preference. > > > > Hope this helps. > > > > You should also consider changing the design of your Group Policy > > infrastructure. You may want to take advantage of the flexibility of User > > Configurations and Computer Configurations. You may design your GPOs to > > fit > > your requirements. > > > > Nuo Yan - MS MVP > > University of Washington > > http://msmvps.com/nuoyan > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Umer Y. > > Sent: Friday, February 10, 2006 4:25 PM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] Computer Policies based on User Logon? > > > > Hello All, > > > > I was wondering if there is a way to have a user logon to the machine and > > not have the computer policies applied to the machine if the user is part > > of > > > > a certain group? > > > > Say for example, I have defined a policy in computer configuration, > > disable > > adding tasks to task scheduler, on an OU. All machines are located in the > > OU. Domain admins do not have "read or apply group policy" rights to that > > particular group policy. Authenticated users have "read or apply group > > policy" rights. > > > > Now, if a domain user logs on to the machiine, the computer policy is > > applied to them, which is alright. But if a domain admin logs on, the > > computer policy still applies. > > > > I do understand that computer policy applies on the machine before msgina > > is > > > > presented, but is there any way to condition it to revert the change when > > a > > domain admin logs on? > > > > > > Thanks in advance. > > > > > > > > > > > > > > > > ... you don't know what you've got 'till it's gone.. > > > > - Joni Mitchell > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > -- "Ambition is a dream with a V8 engine." ~ Elvis Presley List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
