Hey, Ben I thought about this for a while, and although I initially thought it would be useful, it seems like it would make it harder to find GPOs that are being applied without running RSOP all the time.
Either way, it probably couldn't hurt to ask for it... I'm kind of partial to GPO Permissions, myself. -ASB ------- http://Home.ASBzone.com/ASB/ http://www.linkedin.com/in/AndrewBaker ------- On Mon, Aug 3, 2009 at 7:45 PM, Ben Scott <mailvor...@gmail.com> wrote: > Since I'm apparently not explaining this very well, let me emphasize: > > *** I ALREADY KNOW HOW TO DO THIS WITH GPO PERMISSIONS. *** > > :-) > > I am/was trying to explain a concept for a better way. > > On Mon, Aug 3, 2009 at 7:16 PM, Kurt Buff<kurt.b...@gmail.com> wrote: > > I put all of my service accounts in a separate OU. > > We do the same here. Although in this case, these aren't service > accounts. They're special role accounts used for interactive logon to > various computers. Those computers run application-specific software > to do things like acquire data from test equipment, or provide the UI > for manufacturing equipment, or whatever. The log off scripts do > things like clean up files, run backups, close down processes cleanly, > etc. Most of it is needed due to brain damage in vendor systems. > There's a lot of that out there, as I'm sure you're aware. > > > I suspect - we aren't using GPOs here, really - that assigning > > them to the OU, then limiting them by individual users, or > > by groups with single users in them, as he is implying, > > will do exactly what you want. > > You don't even need the groups; it works for individual users, as > you suggest. You just create the GPO, linked to the OU the account > object is in, remove the default ACE which "allows" <Apply Group > Policy> for the <Everyone> subject, then add an ACE to "allow" <Apply > Group Policy>, with the subject being the user account in question. > > It would be cleaner and easier to do if every user object could just > have a GPO associated with it directly. This would be analogous to > how every machine has a GPO of its own. Suppose a button in the user > properties dialog to edit the GPO for that user. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
