I usually move them out as you can't apply GPO at the "computers" level...
________________________________ From: [EMAIL PROTECTED] on behalf of Alberto Oviedo Sent: Fri 22/09/2006 22:40 To: [email protected] Subject: Re: [ActiveDir] Assign User rights overs computers with AD Hey Dave. Do you mean separate trees under root "computers"? or Create different OU's for computers? On 9/22/06, Al Mulnick < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Separate "Trees"? That seems a little excessive. Or are we just mixing terms? On 9/21/06, Dave Wade < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: I prefer to keep them in seperate trees. In fact we are just doing that at present... ________________________________ From: [EMAIL PROTECTED] on behalf of Alberto Oviedo Sent: Thu 21/09/2006 17:50 To: [email protected] Subject: Re: [ActiveDir] Assign User rights overs computers with AD Thanks for your help. really useful. Is it a good practice to move computer objects to OU where the user of the computer resides? On 9/20/06, Dave Wade <[EMAIL PROTECTED]> wrote: Alberto, Even though we made our users "PowerUsers" we found that we needed to make a number of "tweaks" to cater for poorly written applications. I think we now have about a dozen settings for various ill-behaved applications. The majority of these are to cater for applications that write to places on the "C" drive (other than the windows folders, of course) where applications should not write. We also refreshed permissions on the "all users" profile to make sure users don't delete items from the "all users" desktop or start-menu. I guess the last thing to note is that we rolled the policy out in manageable chunks of PCs, say 100 at a time, so if there were issues we could cope with the service calls, Hope this is useful, Dave. ________________________________ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Al Mulnick Sent: 20 September 2006 14:13 To: [email protected] Subject: Re: [ActiveDir] Assign User rights overs computers with AD You can, but I've yet to see it be so simple. The information you're looking for is "restricted groups" but I HIGHLY advise you to be careful and to TEST that prior to using it on your workstations. I also highly advise that you only apply that type of setting to workstations and not on servers (separate them into different OU's). Another way to do this is with a logon script that adds an account to the local administrators group and removes the user from that group. The testing is a way to ensure that you don't break applications on the workstations. Some of the more poorly written applications require special access and as a default prefer administrative access rights. They work poorly without them. You'll want to test thoroughly so that you can remove the unneeded rights and still allow your user community to work as expected. I'm sure there's more cautions I can suggest, but you get the idea. On 9/20/06, Alberto Oviedo < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Hello. My name is Alberto, I'm from Nicaragua In our company the support team has granted every user administrator rights over their workstation, We recently migrated to Windows 2003 AD and I want to revoke the privileges tha users have on their computers. Can I do this through AD? It's around 300 users and I don't want to visit every single one of them. Thanks for your help. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk **********************************************************************
<<winmail.dat>>
