Oh, that's just *way* too logical. MSFT will catch up with that in about 10 years, I'm guessing.
On Mon, Aug 3, 2009 at 16:45, Ben Scott<[email protected]> wrote: > Since I'm apparently not explaining this very well, let me emphasize: > > *** I ALREADY KNOW HOW TO DO THIS WITH GPO PERMISSIONS. *** > > :-) > > I am/was trying to explain a concept for a better way. > > On Mon, Aug 3, 2009 at 7:16 PM, Kurt Buff<[email protected]> wrote: >> I put all of my service accounts in a separate OU. > > We do the same here. Although in this case, these aren't service > accounts. They're special role accounts used for interactive logon to > various computers. Those computers run application-specific software > to do things like acquire data from test equipment, or provide the UI > for manufacturing equipment, or whatever. The log off scripts do > things like clean up files, run backups, close down processes cleanly, > etc. Most of it is needed due to brain damage in vendor systems. > There's a lot of that out there, as I'm sure you're aware. > >> I suspect - we aren't using GPOs here, really - that assigning >> them to the OU, then limiting them by individual users, or >> by groups with single users in them, as he is implying, >> will do exactly what you want. > > You don't even need the groups; it works for individual users, as > you suggest. You just create the GPO, linked to the OU the account > object is in, remove the default ACE which "allows" <Apply Group > Policy> for the <Everyone> subject, then add an ACE to "allow" <Apply > Group Policy>, with the subject being the user account in question. > > It would be cleaner and easier to do if every user object could just > have a GPO associated with it directly. This would be analogous to > how every machine has a GPO of its own. Suppose a button in the user > properties dialog to edit the GPO for that user. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
