Options
Need a little help (group policy)
Non-Profit Techie
Member Posts: 418 ■■□□□□□□□□
Hi guys. I dont have to much experience with GPOs and AD yet, but here is a question I thought one of you might be able to help me with.
I have some users in an OU that has user gpos and their computers are in another OU that has their computer GPO. Just one user needs to be able to access the command line from her computer and im unsure of the best practice to do this for just that user. Do I have to seperate that user from the OU and make a new gpo , or is there a better way to do this? I really want to keep AD clean and not make millions of little exceptions for every little complaint that comes up.
Thanks,
Aaron
I have some users in an OU that has user gpos and their computers are in another OU that has their computer GPO. Just one user needs to be able to access the command line from her computer and im unsure of the best practice to do this for just that user. Do I have to seperate that user from the OU and make a new gpo , or is there a better way to do this? I really want to keep AD clean and not make millions of little exceptions for every little complaint that comes up.
Thanks,
Aaron
Comments
-
Options
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
The best way is to create an OU for that user, that way it keeps AD clean and simple to read. The other way is to simply open the Group Policy that has the "No cmd" policy and on the properties, add the individual user and select "deny" for Full Control or Apply Group Policy and that should stop the policy from applying to that user.
However, exceptions like that are hard to find later down the road, and it will also stop any other policies in that GPO from applying to the user in question.All things are possible, only believe. -
Options
royal
Member Posts: 3,352 ■■■■□□□□□□
There are 3 ways you can do this.
1. In that OU, create a new GPO. Make sure this GPO is highest in the list meaning it has the most precedence. Go to the security settings of that GPO and remove the Domain Users from the ACL. Add that user in the ACL and make sure they have permissions to apply that GPO. The others in the OU will ignore applying that GPO since they don't have permissions to it and they will continue onto the next GPO on that list that allows them access to access the command line.
2. Create a new OU within that OU and move the user to that new OU. Assign a new GPO to that new OU and disallow users to use the command line. Because all of the other settings will Not Defined, that user in the new GPO will still receive the Group Policy settings from the parent OU GPOs.
3. Go onto their machine, and use the Local Group Policy to do this. One problem with this, is if any of your Default Domain Policies, Site Policies, and OU policies have allow the command line explicitly set, it'll override that user's local group policy setting. (I wouldn't do this setting as it adds extra complexity due to the fact you'd be adding more places to manage group policy).“For success, attitude is equally as important as ability.” - Harry F. Banks