Scope of Group Policy according to group membership
hello,
here description of problem (in ad 2008 r2 environment):
- create gpo (enabling : computer configuration/policies/windows settings/security settings/local policies/security options/"interactive logon: require smartcard")
- when add domain group "authenticated users" in scope/security filetring : have expected behaviour (for users) right after runing "gpupdate /force" on local computer
- if add "mygroup" (a global security group - containing "myuser" member) instead : don't have expected behaviour "myuser" (after runing "gpupdate /force" on local computer, or after more 90 minutes , restarting computer)
p.s. : tried both settings : enforced , non enforced, , link order before or after default domain policy
can me please ?
thanks !
am 02.04.2010 13:38, schrieb slikevin:
> - create gpo (enabling : computer
> configuration/policies/windows settings/security settings/local
> policies/security options/"interactive logon: require smartcard")
>
> - when add domain group "authenticated users" in scope/security
> filetring : have expected behaviour (for users) right
> after runing "gpupdate /force" on local computer
>
> - if add "mygroup" (a global security group - containing "myuser" a
> member) instead : don't have expected behaviour "myuser"
> (after runing "gpupdate /force" on local computer, or after
> more 90 minutes , restarting computer)
>
> p.s. : tried both settings : enforced , non enforced, , link
> order before or after default domain policy
i guess boils down 2 things aren't aware of right now:
(1) we're talking computer configuration policy here
(2) "authenticated users" includes both authenticated users ,
computers (computers users, :-).
so, starts, should go apply policy ou holds
computer accounts in computers apply "computer
configuration" settings. linking policy ou full of users won't
work. that'll make sure that, interactive logons, users need
provide smart cards.
next, want achieve? have selective
users log on through smart cards?
cheers,
florian
microsoft mvp - group policy (http://www.frickelsoft.net/blog)
Windows Server > Group Policy
Comments
Post a Comment