none
group policy for restricted desktop RRS feed

  • Question

  • 1) Can you configure computers joined to a domain via a group policy so a user can:

    a) NOT access network resources like mapped drives/exchange email/internet explorer via the proxy
    b) only run certain local applications (i.e. yes to word, no to IE, outlook etc)

    2) Are these types of policies referred to in GP land as the computer policies, i.e. you want them applied to any user logging into that machine?

    3) Or would a and b above normally be configured by local policies set during the build process?

    4) Where in group policy does it state what policies are being applied to what computer (not the user), or where locally on the machine would you start to look to see if a and b above had been configured locally and not via a domain GP to that PC?

    5) Also - perhaps more complex, can you enforce computer policies such as software restrictions to only certain users logging in. So if user X logs in to that PC then the group policy allows them to use all software, but if user Y logs in to that PC then the group policy says no you can only use certain local apps?  

    Machines are xp.
    Wednesday, August 8, 2012 1:31 PM

Answers

  • 1) a - not sure what you exactly mean.
    b - yes it's possible with => http://technet.microsoft.com/en-us/library/cc782792%28v=ws.10%29.aspx

    2) if you want it to be applied to any user regardless of their power you should then use the gpo loopback process => http://technet.microsoft.com/en-us/library/cc785074%28v=ws.10%29.aspx

    3) see item 2.

    4) you can run one of the following to extract a report: cmd line gpresult/z on the target pc, rsop.msc locally or remotely and the preferred option from the gpmc (group policy management console).

    5) yes this is more complex so you need to know exactly what you need/want to achieve not to do a mess out of the gpos.

    good luck.

    Wednesday, August 8, 2012 6:08 PM
  • 1) Can you configure computers joined to a domain via a group policy so a user can:

    a) NOT access network resources like mapped drives/exchange email/internet explorer via the proxy-Yes its possible from group Policy.
    b) only run certain local applications (i.e. yes to word, no to IE, outlook etc)-

    You can use software restriction policies/applocker (in 2k8-r2)

    2) Are these types of policies referred to in GP land as the computer policies, i.e. you want them applied to any user logging into that machine?                      

    It will depend on ur requirement.If you want on users then apply on User configuration.

    3) Or would a and b above normally be configured by local policies set during the build process?

    4) Where in group policy does it state what policies are being applied to what computer (not the user), or where locally on the machine would you start to look to see if a and b above had been configured locally and not via a domain GP to that PC?

    User RSOP.

    5) Also - perhaps more complex, can you enforce computer policies such as software restrictions to only certain users logging in. So if user X logs in to that PC then the group policy allows them to use all software, but if user Y logs in to that PC then the group policy says no you can only use certain local apps? 

    Use security filtering based on ur scope.


    Regards Suman B. Singh

    Thursday, August 9, 2012 8:20 AM

All replies

  • 1) a - not sure what you exactly mean.
    b - yes it's possible with => http://technet.microsoft.com/en-us/library/cc782792%28v=ws.10%29.aspx

    2) if you want it to be applied to any user regardless of their power you should then use the gpo loopback process => http://technet.microsoft.com/en-us/library/cc785074%28v=ws.10%29.aspx

    3) see item 2.

    4) you can run one of the following to extract a report: cmd line gpresult/z on the target pc, rsop.msc locally or remotely and the preferred option from the gpmc (group policy management console).

    5) yes this is more complex so you need to know exactly what you need/want to achieve not to do a mess out of the gpos.

    good luck.

    Wednesday, August 8, 2012 6:08 PM
  • 1) Can you configure computers joined to a domain via a group policy so a user can:

    a) NOT access network resources like mapped drives/exchange email/internet explorer via the proxy-Yes its possible from group Policy.
    b) only run certain local applications (i.e. yes to word, no to IE, outlook etc)-

    You can use software restriction policies/applocker (in 2k8-r2)

    2) Are these types of policies referred to in GP land as the computer policies, i.e. you want them applied to any user logging into that machine?                      

    It will depend on ur requirement.If you want on users then apply on User configuration.

    3) Or would a and b above normally be configured by local policies set during the build process?

    4) Where in group policy does it state what policies are being applied to what computer (not the user), or where locally on the machine would you start to look to see if a and b above had been configured locally and not via a domain GP to that PC?

    User RSOP.

    5) Also - perhaps more complex, can you enforce computer policies such as software restrictions to only certain users logging in. So if user X logs in to that PC then the group policy allows them to use all software, but if user Y logs in to that PC then the group policy says no you can only use certain local apps? 

    Use security filtering based on ur scope.


    Regards Suman B. Singh

    Thursday, August 9, 2012 8:20 AM