Is this possible with GPO? If so, How??

-

at company adding child domain segment of our network host our retail pos systems.  our corporate domain mycompany.com, adding retail.mycompany.com.  because retail domain spread out on 300+ locations across 2 states, have need "lock these machines down". 

when store employee logs on 1 of these machines want them see type of environment.  things like:  no bitmap wallpaper, default windows blue background, restricted start menu, no run command, classic shell, classic start menu, limited access in windows explorer..etc..  have part working (so far).

when store has problems, call our support line , our support team can remote location , troubleshoot problems.  guess 8 out of 10 times standard store employee account (a standard user account)  have privileges necessary perform support duty (e.g. ctrl+alt+del , kill process, run 3rd party app clears out log files..etc) - 

the other 2 times, tech support team need ability start / stop service or add / delete printer / install new software, perform tasks require elevated level of privilege. 

because of compliance issues (and best practice), cannot have shared user account / passwords segment of network.  solution set parent-child domain structure.  there group on parent domain added group on child domain placed in local admin group on our pos systems (via restricted groups).  

my question - how can use gpo modify "locked down" environment when in support group logs on pos?  admin user not exist in child domain, exists in parent domain.  in addition, when admin user logs in, select mycompany domain, not retail domain.  possible?

at first thinking if created "user" gpo on retail domain, , scoped members of support group, apply.  realized logging on parent domain.  want create gpo apply when user support group logs on pos system in retail domain.  don't want force environment when admin user logs on own workstation.

 

is possible, in advance direction.  sorry long post, wanted give background.

 

sb

 

no, you're correct. best practice admins have regular account used when logging own workstation , elevated permission account used admin functions. perhaps time introduce latter.

 

if that's not option, can use wmi filter on gpo check domain membership (or other wmi exposed property). filter like ("select * win32_computersystem domain = 'name'").

 

thanks,

guy



Windows Server  >  Group Policy



Comments

Post a Comment

Popular posts from this blog

DCOM received error "2147746132" from...

-
hi everybody, i have dc (my windows essentials 2012 server) , windows 2012 server in network.  the windows server 2012 inside domain. on server, got "non stopping" error says in event logs : ===> dcom received error "2147746132" fromd computer xxxx(my dc computer) while server trying activation : {6df8cb71-153b-4c66-8fc4-e59301b8011b} it never stops, got 11000+ new events :s i found : http://support.microsoft.com/kb/971153/fr i'm not sure should ? does got idea ? matthieu. hi, please try solution mentioned in below link: http://www.eventid.net/display-eventid-10006-source-dcom-eventno-272-phase-1.htm regards, cicely Windows Server  >  Windows Server 2012 General ...
Read more

ADFS 3.0 Event ID 4625 | An Error occurred During Logon | Status: 0xC000035B

-
we're getting these random errors on our adfs security logs, how can track down generating them? an account failed log on. subject: security id: null sid account name: - account domain: - logon id: 0x0 logon type: 3 account logon failed: security id: null sid account name: account domain: failure information: failure reason: an error occured during logon. status: 0xc000035b sub status: 0x0 process information: caller process id: 0x0 caller process name: - network information: workstation name: - source network address: - source port: - detailed authentication information: logon process: kerberos authentication package: kerberos transited services: - package name (ntlm only): - key length: 0 event generated when logon request fails. generated on computer access attempted. subject fields indicate account on local system requested logon. commonly service such server service, or local process such ...
Read more

DFSR RPC replication errors 5014 1726 with large files over VPN

-
i have similar issue ryan in reply http://social.technet.microsoft.com/forums/en-gb/winserverfiles/thread/6d49fd71-2236-4fcb-9763-bf1c03459ee8 cited below. start additional thread here because other 1 related windows server 2003 (r2) , i'm (as ryan) on windows 2008 r2 x64. here first of post ryan: i've got same problem on 2008 r2 dfsr server.  the spoke server has 2x intel 1 gigb on-board nics in active/standby teamed configuration. the hub server (running on vmware using 10gbit vmnet3 nic driver) logs dfsr event 5014 every 2-15mins (usually around 5mins). the spoke server not log event. replication running slowly. initial sync/replication. had re-configure replication folder because of lost dfsr database on spoke server.  could teamed nic on spoke causing error on host? a note: last time did initial sync on folder processed @ 30k files , hour. time it's doing few hundred and hour. another note: hub server has several replication groups , conne...
Read more