Joni,
As you said, when the machine boots it gets the machine policy applied, and
you want to back it out when the User logs on, which is pretty much a tall
idea! I have never heard of such a function and to be honest would think it
to be "impossible", unless of course the machine could predict who was going
to logon... :-).
The closest I could think of doing it would be to fudge it. That is
(somehow) stop the machine policy applying at Machine boot up, then getting
the user to run the Machine policy via GPUPDATE target:machine when they
logon. Of course you then only have the option of not running the machine
policy when the Admin user logs on, which is different to "undoing the
policy settings that the previous user applied to the machine"
Can I ask why you would want to do this? You mention the case of "disable
adding tasks to task scheduler". I don't specifically know this policy, but
where is it and I would have guessed Microsoft would have given you an
equivalent User based policy to achieve what you want. One way that you may
be able to achieve what you want (just in this case) would be for the admin
to run a script at logon to delete the machine registry key that was created
by the machine policy. Of course it will come back when the machine policy
runs again.
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
----- Original Message -----
From: "Umer Y." <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Saturday, February 11, 2006 1:55 PM
Subject: RE: [ActiveDir] Computer Policies based on User Logon?
If it was user policies, then it wouldn't be a problem. But these are
settings in computer configuration which applies before the user logs on,
but instead I need them to apply based on the user who logs on.
Hope that simplifies my question.
... you don't know what you've got 'till it's gone..
- Joni Mitchell
From: <[EMAIL PROTECTED]>
Reply-To: [email protected]
To: <[email protected]>
Subject: RE: [ActiveDir] Computer Policies based on User Logon?
Date: Fri, 10 Feb 2006 18:27:57 -0800
define your policies in the "User Configuration" and deny this user access
to
the policies.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Umer Y.
Sent: Fri 2/10/2006 6:21 PM
To: [email protected]
Subject: RE: [ActiveDir] Computer Policies based on User Logon?
Thanks for responding Nuo. Loopback policy will merge/replace the logging
on
user's "User Configuration" with its "User Configuration".
That is the opposite of what I am trying to achieve here. Is there way to
apply the logging on user's "Computer Configuration" over machines
"Computer
Configuration" perhaps?
... you don't know what you've got 'till it's gone..
- Joni Mitchell
From: "Nuo Yan" <[EMAIL PROTECTED]>
Reply-To: [email protected]
To: <[email protected]>
Subject: RE: [ActiveDir] Computer Policies based on User Logon?
Date: Fri, 10 Feb 2006 17:18:54 -0800
You may want to change the policy processing preferences so that you need
the "User Group Policy loopback processing mode" policy configured.
You can find this policy under Computer Configuration\Administrative
Templates\System\Group Policy folder.
There will be two options: Replace and Merge.
Replace - The user settings in the computer's GPOs replace the user
settings
applied to the user.
Merge - combine the user settings in computer's GPOs and User's GPOs. If
conflict, user settings in computer's GPOs take preference.
Hope this helps.
You should also consider changing the design of your Group Policy
infrastructure. You may want to take advantage of the flexibility of User
Configurations and Computer Configurations. You may design your GPOs to
fit
your requirements.
Nuo Yan - MS MVP
University of Washington
http://msmvps.com/nuoyan
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Umer Y.
Sent: Friday, February 10, 2006 4:25 PM
To: [email protected]
Subject: [ActiveDir] Computer Policies based on User Logon?
Hello All,
I was wondering if there is a way to have a user logon to the machine and
not have the computer policies applied to the machine if the user is part
of
a certain group?
Say for example, I have defined a policy in computer configuration,
disable
adding tasks to task scheduler, on an OU. All machines are located in the
OU. Domain admins do not have "read or apply group policy" rights to that
particular group policy. Authenticated users have "read or apply group
policy" rights.
Now, if a domain user logs on to the machiine, the computer policy is
applied to them, which is alright. But if a domain admin logs on, the
computer policy still applies.
I do understand that computer policy applies on the machine before msgina
is
presented, but is there any way to condition it to revert the change when
a
domain admin logs on?
Thanks in advance.
... you don't know what you've got 'till it's gone..
- Joni Mitchell
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
