define your policies in the "User Configuration" and deny this user access to the policies. Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Umer Y. Sent: Fri 2/10/2006 6:21 PM To: [email protected] Subject: RE: [ActiveDir] Computer Policies based on User Logon? Thanks for responding Nuo. Loopback policy will merge/replace the logging on user's "User Configuration" with its "User Configuration". That is the opposite of what I am trying to achieve here. Is there way to apply the logging on user's "Computer Configuration" over machines "Computer Configuration" perhaps? ... you don't know what you've got 'till it's gone.. - Joni Mitchell From: "Nuo Yan" <[EMAIL PROTECTED]> Reply-To: [email protected] To: <[email protected]> Subject: RE: [ActiveDir] Computer Policies based on User Logon? Date: Fri, 10 Feb 2006 17:18:54 -0800 You may want to change the policy processing preferences so that you need the "User Group Policy loopback processing mode" policy configured. You can find this policy under Computer Configuration\Administrative Templates\System\Group Policy folder. There will be two options: Replace and Merge. Replace - The user settings in the computer's GPOs replace the user settings applied to the user. Merge - combine the user settings in computer's GPOs and User's GPOs. If conflict, user settings in computer's GPOs take preference. Hope this helps. You should also consider changing the design of your Group Policy infrastructure. You may want to take advantage of the flexibility of User Configurations and Computer Configurations. You may design your GPOs to fit your requirements. Nuo Yan - MS MVP University of Washington http://msmvps.com/nuoyan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Umer Y. Sent: Friday, February 10, 2006 4:25 PM To: [email protected] Subject: [ActiveDir] Computer Policies based on User Logon? Hello All, I was wondering if there is a way to have a user logon to the machine and not have the computer policies applied to the machine if the user is part of a certain group? Say for example, I have defined a policy in computer configuration, disable adding tasks to task scheduler, on an OU. All machines are located in the OU. Domain admins do not have "read or apply group policy" rights to that particular group policy. Authenticated users have "read or apply group policy" rights. Now, if a domain user logs on to the machiine, the computer policy is applied to them, which is alright. But if a domain admin logs on, the computer policy still applies. I do understand that computer policy applies on the machine before msgina is presented, but is there any way to condition it to revert the change when a domain admin logs on? Thanks in advance. ... you don't know what you've got 'till it's gone.. - Joni Mitchell List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
