If it's computer policy, restrict by computer names. If it's user policy, restrict with usernames.
Either way, you're better off making groups to control these. Even if it's just one user, if that account goes away (deleted, etc), it will leave an old SID in your group policy config. Then, with groups, either allow to Authenticated users and deny to the group OR remove authenticated users and allow to the group only. We even have some more complex software gps where there are different groups for different versions with allows and denys. For example, Adobe 6.0, Adobe 7.0, and Adobe 8.0 groups. As an example, for the Adobe 6.0 install, that group is allowed and the other two denied. Keeps a machine from having broken software because it was added to both groups at once. -Bonnie From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 22, 2008 10:47 AM To: Active Directory Admin Issues Subject: GPO Question I use GPO to push software installations to my users. My question is, on a particular GPO, on the delegation tab, groups and users, authenticated users is there. (which I understand). If I wanted to restrict that GPO from certain users, should I put the users computer name or the users login account on the list (to by pass the authenticated users group) , in addition to the authenticated users? Thanks.... Troy Troy Adkins Network Administrator Virginia House of Delegates 804.698.1567 (O) 804.771.7917 (F) ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
