I'm trying to define the GPOs on my new AD domain, and i'm a little
confused.
I've never worked with AD, but i've extensively used MLGPO, where i can
explicitly apply GPOs to users/groups.
Two examples, of my confusion.
1) i've setup password policies (8 chars, 5-row password history,
...), and this is a ''computer'' policy, that apply... to
computers. ;-)
But... there's some way to have domain computer policy apply ony to...
domain users, and not local one?!
2) i've setup also user policy, eg, the profile (enabled and set a
quota). Also this seems to apply to all users, also local ones.
For that i've found (many!) article like that:
http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/
and so seems to me that 'Authenticated User' apply to all users, also
local one.
It is safe to remove policy 'apply' to 'Authenticated User' and
add an
ACL for, eg, 'Domain Users' group? Or i'm really missing something?!
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Mon, 5 Mar 2018 12:52:52 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> > I'm trying to define the GPOs on my new AD domain, and i'm a little > confused. > I've never worked with AD, but i've extensively used MLGPO, where i > can explicitly apply GPOs to users/groups. > > Two examples, of my confusion. > > 1) i've setup password policies (8 chars, 5-row password history, > ...), and this is a ''computer'' policy, that apply... to > computers. ;-) But... there's some way to have domain computer policy > apply ony to... domain users, and not local one?!All your domain users will be members of Domain Users, any 'local users' will be just that, local users and as such, not part of the domain, so domain GPOs will not apply to them.> > 2) i've setup also user policy, eg, the profile (enabled and set a > quota). Also this seems to apply to all users, also local ones.If a GPO applies to your 'local users', they are not local users, they are domain users.> For that i've found (many!) article like that: > > http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/ > > and so seems to me that 'Authenticated User' apply to all users, also > local one. > > It is safe to remove policy 'apply' to 'Authenticated User' and add an > ACL for, eg, 'Domain Users' group? Or i'm really missing something?!You probably could, but all 'Authenticated Users' will be domain members and as such will also be members of the 'Domain Users' group, so why bother. I feel that you haven't explained your set up very well, especially your 'local users'. Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> You probably could, but all 'Authenticated Users' will be domain > members and as such will also be members of the 'Domain Users' group, > so why bother.No. But wait... AHA! Sorry to the list, sorry Rowland: i've two policies, one that set profile quota (user-based), and one that set profile path (computer based). Effectively the computer-based policy apply also to local users, so local users get a ''roaming'' profile set (that clearly does not work) but no quota, as expected. So, simply a question remain: there's some way to set a computer policy based on users? Probably the answer is 'no', and this lead as a consequences that profiles it is better to be defined in user data and not in policies...> I feel that you haven't explained your set up very well, especially > your 'local users'.Oh, a local user, for example: net user ospite ospite /fullname:"Utente Ospite" /comment:"Utente ospite sicuro" /passwordchg:no /expires:never wmic USERACCOUNT WHERE "Name=ospite" SET PasswordExpires=FALSE ('ospite' mean 'guest' in italian). -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)