Greedy greedy. You want everything, and from Microsoft. This has been possible within Zenworks for years and I've used it as such. Now that I'm moving to AD I'm adjusting to the methods other folks in the thread suggested. Of course you could go out and get Zenworks, but that would be pretty expensive for what you want to do. A little off-topic but sometimes other vendors' products support the methods to suit your business better than the Microsoft model and you may need to look around.
>>> Ben Scott <mailvor...@gmail.com> 8/3/2009 7:45 PM >>> Since I'm apparently not explaining this very well, let me emphasize: *** I ALREADY KNOW HOW TO DO THIS WITH GPO PERMISSIONS. *** :-) I am/was trying to explain a concept for a better way. On Mon, Aug 3, 2009 at 7:16 PM, Kurt Buff<kurt.b...@gmail.com> wrote: > I put all of my service accounts in a separate OU. We do the same here. Although in this case, these aren't service accounts. They're special role accounts used for interactive logon to various computers. Those computers run application-specific software to do things like acquire data from test equipment, or provide the UI for manufacturing equipment, or whatever. The log off scripts do things like clean up files, run backups, close down processes cleanly, etc. Most of it is needed due to brain damage in vendor systems. There's a lot of that out there, as I'm sure you're aware. > I suspect - we aren't using GPOs here, really - that assigning > them to the OU, then limiting them by individual users, or > by groups with single users in them, as he is implying, > will do exactly what you want. You don't even need the groups; it works for individual users, as you suggest. You just create the GPO, linked to the OU the account object is in, remove the default ACE which "allows" <Apply Group Policy> for the <Everyone> subject, then add an ACE to "allow" <Apply Group Policy>, with the subject being the user account in question. It would be cleaner and easier to do if every user object could just have a GPO associated with it directly. This would be analogous to how every machine has a GPO of its own. Suppose a button in the user properties dialog to edit the GPO for that user. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~