Hey Jeff....
If i understand you right, I think I'd do a variation of #2...
A seperate software restriction policy user based....Then a global group
that has deny apply set on the delegation. That way you only manage the
group.
Remember too, these only apply to XP+, and you have to restart explorer
somehow to get them to work. (reboot, logout, and back in)
You can deny executebles and allow specific ones...But, like I said, if I
understand you right, this sounds easier, at least to me.
HTH
John
"Cothern Jeff D.
Team EITC"
<[EMAIL PROTECTED] To
l> <[email protected]>
Sent by: cc
[EMAIL PROTECTED]
ail.activedir.org Subject
[ActiveDir] Software restriction
quandry
05/29/2005 07:22
PM
Please respond to
[EMAIL PROTECTED]
tivedir.org
Hey all
I am trying to think of the best course of action on this problem:
Management wants to install certain applications on our baseline. They
want to restrict all users except those within certain groups from running
these applications.
possible solutions:
1. Set a machine software restriction policy that disallows all from using
the different executibles. Then create a user Software restriction policy
that allows the users in these groups to run the programs. This policy
would only apply to the group.
2. Set a User software restriction policy as part of the normal user
policy settings that disallows users from the different executibles.
Create a second policy that applies only to the group with permissions to
use the program that allows the software to run.
Which do you think would be better. Also is my thinking in the right place
that the second policy will override the first policy.
Jeff
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
