Group Policy for complex user groups
Posted by The Technocrat | Filed under Geeky, Software
Have you seen the GPMC? It’s a pretty sweet tool for managing your Group Policy Objects.
I’ve installed this on all of my domain controllers. Check out the demos at the GPMC website, good stuff.
Today I needed to make a network share for the yearbook staff, 1 faculty and ~12 students. I went ahead and made the folder and hidden share (yearbook$) on their campus file server.
I don’t like messing with security rights, so here’s what I did to manage this access…This my default way of doing things, because it’s made it very, very simple to manage changing and complex user permissions and groups.
- Made a group in Active Directory called Yearbook 2006
- Added the faculty member and students to the group
- Gave the group access to the share
(easy so far)
However, I want any member of the yearbook staff to have their Y: drive mapped to \\server\yearbook$ automatically. And I only want to do this once, so next year when I change the members of the security group, the new members will get Y: automatically, and the old members will lose their Y:.
So I open up my Group Policy Management Console and make a new Group Policy Object. This object does one thing, map \\server\yearbook$ to Y: via login script.
Here’s the cool part: on the ‘scope’ tab of the GPO window, there is a box on the bottom that is ‘security filtering’. Clear it out. Now the GPO is linked to no-one. (The default is everyone, as you just saw). Now click ‘add…’ and apply this GPO only to the ‘Yearbook’ group.
Link this GPO to apply to the entire domain. (right-click the domain, ‘Link GPO…’. Now, no matter who is in the Yearbook group, they will get a Y: drive with all of the yearbook files wherever they log in, even across campuses! (if you have the VPN set up to allow this) And everyone else will never see the share or Y:… after all, they don’t need to, so why do it!
Now let’s get crazy.
Additionally, let’s say you only want those select people to have access to Y: when they are in a specific computer lab. (say, the yearbook office) No problem. Just link this GPO to a computer Organizational Unit that contains just the yearbook office machine.
Now the yearbook files are available to only the yearbook staff (via Y:), and only when they are in the yearbook office.
It seems pretty complex, but can be done rather easily in a few minutes in the GPMC. And throw this at your imagination: mapping a drive is just one of a thousand things you can do to for users with Group Policy. With these skills, there’s not much that can stand in the way of easy-to-manage, highly granular Group Policy application.
Have fun, and don’t forget to inflict try out your settings on yourself (put yourself in the target OU) at least once to see if it works properly…
Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec libero. Suspendisse bibendum.
Cras id urna. Morbi tincidunt, orci ac convallis aliquam, lectus turpis varius lorem, eu
posuere nunc justo tempus leo. Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec libero. Suspendisse bibendum.
Cras id urna.
April 20, 2006 at 2:06 pm
Although this article wont have widespread appeal, you know that the people who will find it interesting will be very happy its here, good article dan
April 21, 2006 at 8:11 am
that’s kinda my niche market…the search engine traffic
April 21, 2006 at 8:48 am
I noticed this morning that google has began to index the word “geeklimit” although it has not indexed us yet. There are about 2 pages of sites which link to us
Couple things i noticed… i have to type in my name, email and site address every time i post a comment, any way of automating this?
And what happened to the Cocomment helper bit next to the add comment button?
August 9, 2008 at 10:46 am
Thousands and the dazzlingly buy cytotec meat steamed held.