Need Advice on Setting Up Precedence GPOs for Removable Media Storage Control
hi,
apologies in advance if commonly asked question --
i'm implementing policy object restrict use of removable media (cd/dvd, usb drives, etc). specifically, gpo "deny writes removable media" policy applies user accounts, either domain or local (including , local admin accounts). ideally, policy linked domain root users firmwide affected default.
handles exceptions via "allow writes removable media" policy linked dedicated groups in each line of business ou.
these 'removable storage access' policies duplicated under both computer configuration\admin templates\system , user configuration\admin templates\system.
best placement of "deny writes" , "allow writes" gpos? should link "deny writes" object tothe domain root or user containers (or workstation container instead)?
, should policies set under computer configuration or user configuration? know computer configuration settings take precedence on user configuration, prefer enable settings under computer configuration because if enabled under user configuration policy applies domain user accounts , user login locally , bypass policy (esp. if has admin rights).
i'm @ loss of figuring out best way implement this. better idea not link "deny writes" gpo domain root instead have separate "deny writes" , "allow writes" groups in each lob users container , manage users in way?
thanks,
roland thomas
life motto #1: "live life give damn."
apologies in advance if commonly asked question --
i'm implementing policy object restrict use of removable media (cd/dvd, usb drives, etc). specifically, gpo "deny writes removable media" policy applies user accounts, either domain or local (including , local admin accounts). ideally, policy linked domain root users firmwide affected default.
handles exceptions via "allow writes removable media" policy linked dedicated groups in each line of business ou.
these 'removable storage access' policies duplicated under both computer configuration\admin templates\system , user configuration\admin templates\system.
best placement of "deny writes" , "allow writes" gpos? should link "deny writes" object tothe domain root or user containers (or workstation container instead)?
, should policies set under computer configuration or user configuration? know computer configuration settings take precedence on user configuration, prefer enable settings under computer configuration because if enabled under user configuration policy applies domain user accounts , user login locally , bypass policy (esp. if has admin rights).
i'm @ loss of figuring out best way implement this. better idea not link "deny writes" gpo domain root instead have separate "deny writes" , "allow writes" groups in each lob users container , manage users in way?
thanks,
roland thomas
life motto #1: "live life give damn."
hi,
if apply restriction in computer configuration applied pcs in container dispite of logged user. doing can ensure applicable local admins. cannot manage policy users, said applied pcs dispite of logged user.
if apply restriction in user configuration, applied users despite of computer use, not applicable local administrators.
have find best design need, example pcs want restrict local admins can create ou , move needed computer objects ou, apply group policy restriction set in computer configurastion.
can create ou (or use existing one) user accounts restricted dispite of pc use , apply gpo restriction in user configuration.
can make group policy filtering users.
so, in general mean, have flexibale , apply solution needs. in situation there no 1 simple solution everybody.
сила в справедливости
if apply restriction in computer configuration applied pcs in container dispite of logged user. doing can ensure applicable local admins. cannot manage policy users, said applied pcs dispite of logged user.
if apply restriction in user configuration, applied users despite of computer use, not applicable local administrators.
have find best design need, example pcs want restrict local admins can create ou , move needed computer objects ou, apply group policy restriction set in computer configurastion.
can create ou (or use existing one) user accounts restricted dispite of pc use , apply gpo restriction in user configuration.
can make group policy filtering users.
so, in general mean, have flexibale , apply solution needs. in situation there no 1 simple solution everybody.
сила в справедливости
Windows Server > Group Policy
Comments
Post a Comment