Top menu

Topic: «Applying Devicelock Permissions to Computers within and AD Group», Computer Security Principles don't seem to work with DL settings.

« Previous topic | Next topic »

Tom Harriott


User profile

Posts: 27
Joined: 06/15/2007
Hi everyone,

Here is my problem: I have been trying to apply some security settings to a group of laptops but thay are spread out in different OUs so the policy must be at the domain level.

I have tried adding the computers in question to a security group and giving that group access to the USB port but I'm still being told I don't have permission when I log on as a standard user.

When I log on as a member it IT I am allowed access though so it seems to me that the list of users with access to a device class can only be user accounts and not computer accounts?

The reason I want to use the computers in a group is that they are not all in the same OU So I wish to have a Devicelock group to which I can add computers which are to have access to the USB port.

Many thanks


Tom
Posted: 09/30/2008 14:19:10

Top

Tom Harriott


User profile

Posts: 27
Joined: 06/15/2007
I've got round this now.

I've added a top level GPO with the settings I want for the laptops and security filtered it so only they can apply it as a policy.

--EDIT--
and then made sure it was a higher precedence than the DL GPO applying to all the other PCs.



Tom
Posted: 09/30/2008 18:51:47

Top

Roman Gaditskiy
Guest



You can set permissions only to users/groups. So, you should use security settings to make the policy apply to chosen computers.
Posted: 09/30/2008 18:56:06

Top

davidm
Editor


User profile

Posts: 77
Joined: 06/30/2006
DeviceLock is technically a "computer policy", and as such a GP implementation will work at the domain or OU container levels. If you know the names of the laptops, you can "include" those at the domain or OU policy level to only affect those computers, which it sounds like you accomplished.

"Groups" are only for user accounts and other nested group accounts, and not for computer objects. User/Group access parameters are handled within the DL policy Permission Lists by Port or Device Type.
Posted: 11/05/2008 02:55:47

Top